I'm looking for a feature to trigger a capture from either tcpdump or tshark I have a setup where a capture easily could take up giga bytes. So what I need is some kind of trigger which would cause a capture to start when ex a SIP invite to a certain URI is detected, and then capture the next 100M Is this somehow possible? asked 31 Jan '11, 16:02  Kjeld Flarup |
One Answer:
As far as I know that is on the wish list of features for quite some time now, but doesn't exist in Wireshark yet. You could go for setting up a ring buffered capture that overwrites older trace files. If you set the buffer large enough you might be able to capture what you want and have enough time to find out about it without overloading your disk. Finding the SIP invite in tons of trace data isn't that hard using tshark, using the answered 31 Jan '11, 16:52  Jasper ♦♦ |
Thanks Jasper
Although I cannot use the ring buffer either, you gave me an idea to emulate this. Currently I have put a packet limit on the tcpdump, and when that exceeds I restart it with a new file name.
I could of course run a filter when it restarts I could check if I got my data, and delete the old file if not use able.
(I changed your answer to a comment to adhere to the Q&A style of this website)
You can also use the "-C <size>" option of tcpdump, it will create a new file after each <size> million bytes. You can then run a cleaning script that deletes all files but the latest <x> ones. That will create a "ring-buffer" of X*size MB :-)
(lets call it a "poor-mans-dumpcap-ringbuffer" :-))