This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Automate wireshark capture

1

Hi Experts,

I am new to Wireshark. I want to capture all the network traffic on one of our Windows servers. I wrote the following command in terminal

c:\Program Files\Wireshark>tshark -i 1 -a duration:3600 -w c:\WiresharkCapture\test

It works perfectly fine, except I have 2 questions:

  1. I want to capture all the traffic between 6am-7am. Is there a way I can schedule the task to automatically execute this command between 6am-7am?
  2. The file gets overwritten everytime I execute this command. Can I save the file in format of testDDMMYYYY, so that I can keep history?

Thanks in advance..

asked 11 Sep '12, 19:59

ravi007's gravatar image

ravi007
16113
accept rate: 0%

OK.. I figured out how to automate this process, but I still don't know, how to save files in DDMMYYYY format..

Can anyone please help?

Many Thanks...

(11 Sep '12, 22:24) ravi007

2 Answers:

5

I'm assuming you're on Windows (based on the path C:\Program Files\Wireshark). This isn't really a Wireshark question, it's a Windows command line question. The following works for me on Windows Vista:

tshark -i 1 -a duration:3600 -w C:\WiresharkCapture\test%date:~7,2%%date:~4,2%%date%~10,4%.pcap

This command was executed on September 12, 2012 and the filename was "test12092012.pcap".

This syntax is dependent on your locale and exactly how the date is displayed on your system, so you might have to tinker with it a bit. If this doesn't work for you, Google on "windows date filename" and you'll get dozens of results showing various commands for including the date in a file name from the command prompt. On my computer, the output of the 'date' command is displayed as "Wed 09/12/2012".

You could also use Wireshark's ring buffer option, but stop after a single file with something like this:

tshark -i 1 -a duration:3600 -b duration:3600 -w C:\WiresharkCapture\test.pcap

A ring buffer normally writes multiple files, but by setting the autostop (-a) option duration to the same value as the ring buffer (-b) option duration, tshark will only write one file, which is what your command above does. (However, an hour can be a long time to capture on a busy network, so you might want to consider using a ring buffer option that writes multiple files over the one-hour period.)

This will include the date and time in the filename, but will not give you any control over how the name is formatted. I ended up with a file named test_00001_20120912001856.pcap when I executed the command at 00:18:56 on September 12th, 2012.

answered 12 Sep '12, 00:39

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Hi Jim,

Thanks for the information.. That was really helpful.. I am using Windowns Server 2008 and the following command worked for me..

tshark -i 1 -a duration:3600 -w c:\WiresharkCapture\test%date:~4,2%%date:~7,2%%date:~10,4%.pcap

Its all good now..

Thanks again...

(12 Sep '12, 17:53) ravi007

Ravi007,

You said you were able to figure out how to automate this process. Can you provide that solution?

Thanks

(21 Jul '16, 10:48) mand009

0

hwo to capture all files captured? I do get only the last file which is being captured for exporting. I dont get all the files captured to export.

answered 11 Jun '13, 23:17

nikhil's gravatar image

nikhil
1
accept rate: 0%