This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Custom Stop Recording Trigger

0

hello

i want a custom trigger set on a value changes from one value to another in same position in data to stop recording.. is it possible and if so how?

thank you

asked 26 Mar '15, 06:00

YaronS's gravatar image

YaronS
6114
accept rate: 0%

Can you be a bit more specific about what you're trying to do? Also, what platform is this for, and what version of Wireshark are you using?

(26 Mar '15, 07:12) cmaynard ♦♦

hello.. i wish to analyze a frame of data that being sent in a protocol (Profinet) and i want to catch the moment i have an error (that i can see when data changes to a certain value). Wireshark version 1.12.3, windows 7. i hope that is specified enough.. thanks

(26 Mar '15, 07:15) YaronS

2 Answers:

4

If you are able to construct a capture filter for the value at the applicable field/offset location you are interested in, since you are using Windows and a new enough version of Wireshark, you may be able to make use of the dumpcap.bat file I wrote. It is available for download on the Wireshark wiki's Tools page.

In its simplest configuration to meet your needs, you would run it in "Dumcpap+Event" mode, specifying a general capture filter of packets you wish to capture along with an "Event" capture filter, which would be your very specific filter for the value at the offset you're looking for. Upon matching that specific filter, capturing would be terminated, optionally after some additional delay so that you could, if you wanted to, continue to capture some traffic for a specified time duration following the event of interest.

The batch file can also configure dumpcap.exe for autostop and/or ringbuffer settings, and with the help of the mailsend.exe utility, you can even get an e-mail notification of the event when it occurs, which can be handy, especially if the event in question is quite rare.

For help with writing capture filters, refer to the pcap-filter man page.

answered 26 Mar '15, 07:37

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Hello cmaynard thanks for the answer i will try to do that.. however when i run the dumpcap file i will choose option 5 to set the filter however i do not see any option for stopping the recording when i get wanted value with the filter.. as i never used the dumpcap file i appreciate some help.. thank you yaron

(26 Mar '15, 08:06) YaronS

As I explained, you will need to set the Dumpcap Mode to "Dumpcap+Event". This is option #2. Once you do that, you will see the CAPTURE EVENT OPTIONS section.

(26 Mar '15, 08:11) cmaynard ♦♦

thank you now i see it.. i see there is also an option for trigger there.. maybe that will be good as well.. will try.. by the way where the file recorded being saved? thanks again Yaron

(26 Mar '15, 08:24) YaronS
1

Trigger Mode is probably not what you want. In Trigger Mode, capturing isn't started UNTIL the event of interest occurs. Unfortunately, this means that the resulting capture file won't actually contain the packets leading up to the event, nor the event itself. Maybe this mode has some useful application, but none for me personally.

(26 Mar '15, 08:28) cmaynard ♦♦

where the file recorded being saved?

You specify the capture file and path in option #4, e.g.:

C:\path\to\captures\file

No need to add the .pcap or .pcapng extension as the batch file will auto-append the correct extension based on the format selected (option #9).

If you don't specify a capture file, then dumpcap will write to a temporary file located in your Temp directory. You can run "echo %TEMP%" to find the location. You will also be able to see the location and temporary file name when you start capturing, as it will be displayed by the batch file, i.e.:

Capturing on 'Some Interface'
File: C:\Users\YaronS\AppData\Local\Temp\wireshark_pcapng_Some_Interface_20150326120000_123456
(26 Mar '15, 08:51) cmaynard ♦♦

0

There's nothing available really apart from parsing the output of tshark and then killing the capture process.

answered 26 Mar '15, 06:52

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

hello grahamb thank you for the quick reply do you mean that i need to edit what the tshark is following on and when he sees it to kill the process? how do i edit the tshark output? with lua? or somthing else? Yaron

(26 Mar '15, 07:05) YaronS