This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

monitor 24/7 but retain only 15 minutes?

I need to investigate a problem I am having with my phone system. However the problem cannot be reproduced intentionally so I there is no way that I can plan ahead to capture traffic.

Is it possible to leave wireshark on 24/7 but only keep a specified amount of transactions, or say even like 20 minutes of data? This way when the problem does occur again, I will have a capture of hopefully, of what's going down.

Thanks Robbie

voip

asked 20 May '13, 11:36

RobbieRobski
11●2●2●4
accept rate: 0%

2 Answers:

Yes, you can use dumpcap with a ring buffer of files.

dumpcap -ni 1 -w c:\temp\phone_problem.pcap -b duration:1200 -b files:5

This will create a new capture file every 20 minutes (1200 Seconds). It will rotate the capture files, keeping only the latest five. For more help, see dumpcap -h. Please replace the interface number with whatever is appropriate on your system. The following command will show you the interfaces.

dumpcap -D -M

BTW: You cannot do this with Wireshark for a long time, as it's memory consumption will constantly grow (accumulation of internal data structures), which is not the case with dumpcap.

Regards
Kurt

answered 20 May '13, 11:43

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 20 May '13, 12:08

Thanks!! I really hope the problem occurs during these logs so I can squash this problem once and for all.

(21 May '13, 15:56) RobbieRobski

So far no luck with my pbx vendor, they're passing the buck to phone hardware. I just got a nibble from a cisco employee via forum post for me to send the logs so hopefully this will get solved!

(03 Jun '13, 15:16) RobbieRobski

0	I hope wireshark ring buffer feature will be your savior/. answered 20 May '13, 11:42 krishnayeddula 629●35●41●48 accept rate: 6% also see http://ask.wireshark.org/questions/14745/long-term-capture (20 May '13, 11:47) Anders ♦