This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

auto remove old data

0

Is there a way to set wireshark to automatically delete capture data that is older than a given time?

For example, I would like to have wireshark constantly running, but I don't have unlimited storage space, so I would just like to see the data for the past 12 hours. I check my computer more than once every 12 hours, so if I see something strange happening, or if I want to see my packet history due to some recent event, I could do so and save the important parts if I wish.

asked 13 Feb '11, 08:39

1proof's gravatar image

1proof
6113
accept rate: 0%


2 Answers:

4

Or to give an example, you can make a ringbuffer with dumpcap as follows:

dumpcap -i <interface> -w <file.pcap> -b files:48 -b duration:900

This will create files of 900 seconds each, but after creating 48 files, it will remove the first one. Effectively it will keep 12 hours of data.

When you create new files based on time, you still might run out of diskspace if network traffic is unusually high. I always prefer something like the following:

dumpcap -i <interface> -w <file.pcap> -b files:1024 -b filesize:16384

Which will create files of 16MB and it will keep only the last 1024 of them, so you know the capture buffer will never grow beyond 16GB.

You can use capinfos to show which file contains which timeframe like so:

capinfos -Taecu *.pcap

If you need to combine data of multiple of these files, you can use mergecap to combine them:

mergecap -w combined.pcap file1.pcap file2.pcap ... fileX.pcap

This will combine file1 to fileX into the new file 'combined.pcap'.

Last but not least, you can use editcap to get a certain time interval from the resulting tracefile with:

editcap -A "2011-02-13 20:00" -B "2011-02-13 21:00" combined.pcap result.pcap

Which will create a file 'result.pcap' with only the packets from time range 20:00-21:00 on Feb 13th, 2011.

All used commands are included with Wireshark :-)

answered 13 Feb '11, 11:49

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I think it's about time we get a new badge called "command line hero" for Sake :-)

(13 Feb '11, 16:23) Jasper ♦♦

Thanks a lot for the reply! I'm new to wireshark, so I'm sure this was a very elementary problem for you.

I used dumpcap -i <interface> -w <file.pcap> -b files:1024 -b filesize:16384 as you said

So far its working well...

In case someone doesn't know, In windows you can get the proper name for <interface> by using dumpcap -D

(14 Feb '11, 06:45) 1proof

I'm glad this works for you. If my answer did answer your question, you can click on the "checkmark" on the left of it (below the thumps-down) to accept the answer so the question will not appear in the "Unanswered" list anymore.

BTW I changed your "answer" to a "comment" to adhere to the Q&A style of this website.

(14 Feb '11, 06:56) SYN-bit ♦♦

0

Look into using the ringbuffer options. And for long running capture, use dumpcap i.s.o. wireshark.

answered 13 Feb '11, 11:19

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%