I have a need to set up a capture for 24 hours and what I am interested in keeping is just the information in the Statistics | Conversations | TCP or UDP tabs, just interested in what IPs are talking to each other and what ports were used. There will be a lot of data if I try to keep all of the packets, is there a way to just have the capture running, retain the conversation information, and not save the data? asked 21 Mar '13, 11:56  Richter |
2 Answers:
Wireshark and tshark keep state information in memory and are not the best tools for monitoring long-term. Especially if you are only interested in conversation statistics. Have a look at ntop, which exactly does what you want :-) answered 21 Mar '13, 13:05  SYN-bit ♦♦ |
Tshark[a command line equivalent of wireshark] might be one of the solutions. With that You can give the duration of the capture.You can set the capture filter for tcp || udp.You can retrieve the fields you want at the end by using -Tfileds option. answered 21 Mar '13, 11:58  krishnayeddula edited 21 Mar '13, 12:07 |
