This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

export append

0

I have to run a scan for an 8 hour duration. Is there a method in which I can setup the multiple file option to write/export them to a folder in sequential order without interuption to the scan? That is a continuous run and export without interupting the scan and killing the laptop?

asked 19 Apr '11, 06:43

spongerob's gravatar image

spongerob
1111
accept rate: 0%

One Answer:

3

Yes, that's what the multiple files option does, it captures for a long period of time, breaking up the captured data in smaller pieces. The way to do it is:

  • Choose a filename, this will be the base filename wireshark will use for the individual pieces
  • select "Use Multiple Files"
  • select either "Next file every X MB" or "Next file every X minutes"
  • My advice is to use the MB option and choose a filesize of 32MB or so
  • If you are worried about disk space, you can limit the amount of files by either creating a "ringbuffer" (oldest files will be deleted when more files need to be created) or "Stop after" to stop the capture once the configured amount of files are created
  • Make sure you have "Update list of packets in real time" disabled

If you want to be absolutely sure your capture session will not run out of memory, you better use the command line command dumpcap (which is used by Wireshark under the hood anyways). I had dumpcap running for months with a ring buffer trying to capture a very rarely occurring problem.

answered 19 Apr '11, 07:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks much - do you know of any online courses/classes for wireshark?

I'd like to get the cert!

(20 Apr '11, 11:41) spongerob

Have a look at www.wiresharkuniversity.com

(21 Apr '11, 00:29) SYN-bit ♦♦