I want to capture everything from a mirrored port to my router. I want to be able to get captures in one hour increments continuously for four days then start wrapping these captures so the hard drive does not fill up. Is there a way to leave Wireshark running, then “cut pcap’s” every hour, then start wrapping these files after four days? asked 03 Jan '11, 07:48  georgeshark |
4 Answers:
A command I use very often is: This command will capture from interface eth0 to a ring buffer of 1024 files of 16MB size. The filenames will be file_NNNNN_YYYYMMDDHHMMSS.cap. After the 1024th file has been written, the 1st will be deleted and the 1025th will be created. Of course you can change the parameters to your liking. If you do want one-hour files for 4 days, you can use: Of course you have no guarantee that your drive won't fill up, as you don't know how much data will be in each hour. answered 03 Jan '11, 12:49  SYN-bit ♦♦ |
In Wireshark, if you go to the Capture Options before starting your capture, you can do what you need Simply specify a folder and filename (which becomes the prefix for subsequent capture), check Use Multiple Files.Then check the box and fill-in Next File Every "1 hour" and check and fill-in Ring Buffer with "96" files. Note however that Wireshark will attempt to dissect the traffic it captures and consumes memory doing so. So as has been pointed out by Sake and Bill, dumpcap is probably the best for continuous logging, as it does a raw capture and doesn't need to do any dissecting to build up state and consume memory. answered 03 Jan '11, 19:16  martyvis |
For continuous capturing, use dumpcap (the program used by wireshark and tshark to do the actual capture). Also: see 'dumpcap -h' (or the dumpcap man page) for info on how to limit capture files to one hour and how to wrap the files after "n" files. answered 03 Jan '11, 07:56  Bill Meier ♦♦ |
Thanks all, these are great ways to do this.. answered 04 Jan '11, 05:38 georgeshark |
I am using this: dumpcap -i 2 -w file.cap -b duration:3600 -b files:96 : and it works great. This is saving everything to the files.
Since I am using VoIP on the machine, is there a way to exclude RTP traffic from the file? I want to 'see' everything else, just not the RTP.
I tried using tshark with a !(RTP) but, with the -R you can't save it to and file AND exclude traffic. Can I do it using dumpcap?
Thanks again
(I converted your answer to a comment to preserve the logical order of messages)
No, you can't use display filters with dumpcap as it does not do any dissection of packets. You can however use capture filters. So if you can make a capture filter that filters out RTP, then you're in business.
Does your voip traffic use speficic IP addresses to exclude? Or maybe it is in a separate vlan and you are capturen traffic on a tagged interface?