This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture retaining only conversation data

0

I have a need to set up a capture for 24 hours and what I am interested in keeping is just the information in the Statistics | Conversations | TCP or UDP tabs, just interested in what IPs are talking to each other and what ports were used. There will be a lot of data if I try to keep all of the packets, is there a way to just have the capture running, retain the conversation information, and not save the data?

asked 21 Mar '13, 11:56

Richter's gravatar image

Richter
11112
accept rate: 0%


2 Answers:

2

Wireshark and tshark keep state information in memory and are not the best tools for monitoring long-term. Especially if you are only interested in conversation statistics.

Have a look at ntop, which exactly does what you want :-)

answered 21 Mar '13, 13:05

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

Tshark[a command line equivalent of wireshark] might be one of the solutions. With that You can give the duration of the capture.You can set the capture filter for tcp || udp.You can retrieve the fields you want at the end by using -Tfileds option.

answered 21 Mar '13, 11:58

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 21 Mar '13, 12:07