This is our old Q&A Site. Please post any new questions and answers at


We have several computers, that is running wireshark and sniffin data packets for us to send to a large Phone Company.

But each day i have to login to these machines, and manually upload the files to our FTP server... and these machines are so slow!

Isnt there a build-in uploader in wireshark, or can someone recommend a 3. party software?

I need the software to upload ONLY files that have been completed (200MB) and delete them afterwards.

Please help me out :)

asked 11 Jul '13, 01:58

ksl's gravatar image

accept rate: 0%

Some answers.

  1. There is no built-in 'uploader' in Wireshark
  2. There are several tools available in the open source environment that are able to accomplish the task.

To be able to name some, please tell us what communication protocols are available for the upload (FTP, HTTP, HTTPS, ssh, anything else). What is your OS on the capturing machine?

BTW: How do you capture the traffic? With dumpcap and ring-buffers or with Wireshark/tshark?


As you systems are Windows (XP and 7), here are some recommendations how to automate the upload.

First use a File/Folder monitoring tool to detect changes in a directory (newly added capture files).

Then use a scripted FTP client (or a custom batch script) to upload the files.

The tricky part is to detect the "finished/completed" capture files, that are ready for an upload. That depends on how those files are being generated (dumpcap, tshark, Wireshark).

Together with a batch script it should be possible to retrieve only those files with an older 'last write' date. But that's a question you better ask in a windows batch programming forum.


As you requested an easier solution, here we go. Try the following software

According to the product features, it has all you need to automate the capture file upload. A quick review on my test system looks promising.


Here is the super simple solution ;-)

While Wireshark/dumpcap writes to a capture file, the file is locked by the OS. You can use that in the following way.

  1. Move all pcap files to a folder named 'done': move *.pcap c:\pcap_files\done. This can be done as a scheduled job on Windows. The locked file (the one that is currently in use), will not be moved.
  2. Upload the content of the done directory with an automated ftp client (see links above).


permanent link

answered 11 Jul '13, 02:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 12 Jul '13, 01:39


I use WinXP and Win7 (both 32 bit).

It will be FTP upload.

About the last answer... i dont know - i have only been told to back these up each day, im not working with this normally... But where can i see that? so that i can inform you.

(11 Jul '13, 02:22) ksl

But where can i see that?

Maybe just ask the one who set up the capture process, as this is essential for any automation.

(11 Jul '13, 02:26) Kurt Knochner ♦

see my UPDATE in the answer

(11 Jul '13, 02:46) Kurt Knochner ♦

There must be an easier way... im already stucked

(11 Jul '13, 07:03) ksl

easier? In terms of what?

stucked? Where?

(11 Jul '13, 07:41) Kurt Knochner ♦

I wrote a network forensic tool for automated trace file analysis, and what I do to check if dumpcap is still writing packets to a file is to try to open it for exclusive read access. If that fails, it's still in use. Maybe you can script something like this as well, or find a tool that can detect if a file is still in use.

(11 Jul '13, 08:41) Jasper ♦♦

I wrote a network forensic tool for automated trace file analysis

commercial, internal use or free? :-)

(11 Jul '13, 10:44) Kurt Knochner ♦

Internal use only, sorry :-)

(11 Jul '13, 10:45) Jasper ♦♦

O.K. I understand. Anyway, what is the purpose of the tool, meaning what kind of analysis did you implement?

(11 Jul '13, 14:17) Kurt Knochner ♦

It is scanning network packets for indicators of infected systems, based on patterns we have seen in some of our cases. It's basically looking at layers above layer 4, ignoring the trivial stuff like nmap scans, invalid TCP flags etc. One example is looking at HTTP headers that are "funny" or inconsistent or connect to hosts on a list of known bad systems. Some of that can be done by parsing logs of course, but I prefer having full packet captures to see what is actually going on instead of looking at meta data in logs. Plus, a packet capture can be implemented without disturbing productive systems and is often faster to achieve than tracking down the guy who can give me access to tons of log files.

(11 Jul '13, 15:41) Jasper ♦♦

Sounds nice :-) Do you parse tshark output or do you read the pcap file directly?

(11 Jul '13, 16:46) Kurt Knochner ♦


There must be an easier way... im already stucked

see UPDATE 2 in my answer.

(11 Jul '13, 17:02) Kurt Knochner ♦

@Kurt: It reads trace files directly, preferably PCAPng, but it can also read pcap and Sniffer .enc/.cap files. The code is basically built upon a packet analysis framework written from scratch, not using any existing libraries. A lot of it is also used in TraceWrangler, which is available for free at

(11 Jul '13, 17:51) Jasper ♦♦

I got the script to Work... and i can monitor the files with the Directory monitor... But im stucked at getting it to upload the file, when the file is filled or a new one is created.

I want to upload the files, when the log is filled or a new one is created. Else it might upload an "corrupt" file (not yet completed file)

(11 Jul '13, 22:53) ksl

@ksl: See UPDATE 2 in my answer. With that tool, you can upload files that have not been 'touched' (written) today, which excludes the current file. A similar thing should be done with Directory Monitor. You need to figure out (with a script) if the reported file is still open (see the hint of @Jasper).

BTW: Were you able to figure out the capture process (how the files are being generated)? Maybe that will help as well.

(12 Jul '13, 00:49) Kurt Knochner ♦


he code is basically built upon a packet analysis framework written from scratch, not using any existing libraries

You like it the hard way, right ;-))

A lot of it is also used in TraceWrangler, which is available for free at

I'll have a look. Thanks.

(12 Jul '13, 00:50) Kurt Knochner ♦

@ksl: see my UPDATE 3 for a super simple solution.

(12 Jul '13, 01:34) Kurt Knochner ♦
showing 5 of 17 show 12 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 11 Jul '13, 01:58

question was seen: 3,972 times

last updated: 12 Jul '13, 01:39

p​o​w​e​r​e​d by O​S​Q​A