This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Would it be possible to have tshark generate rotating pcap files just like this?

I could not find much documentation about it.

asked 24 Jul '15, 14:51

Bob328080's gravatar image

Bob328080
11224
accept rate: 0%


Look at the tshark options for capture stop & output, similar to tcpdump, but not quite the same:

Capture stop conditions:                                                     
  -c <packet count>        stop after n packets (def: infinite)              
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds             
                           filesize:NUM - stop this file after NUM KB        
                              files:NUM - stop after NUM files               
Capture output:                                                              
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs 
                           filesize:NUM - switch to next file after NUM KB   
                              files:NUM - ringbuffer: replace after NUM files

You're probably looking for the -b ringbuffer option.

permanent link

answered 24 Jul '15, 15:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I am not sure I understand the question properly, but if I did:

Please always remember to use -? or --help, according to "tshark -?" output:

Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                         filesize:NUM - switch to next file after NUM KB
                         files:NUM - ringbuffer: replace after NUM files

-b duration:600 files 7 will give you a 70 minute ring buffer (rotation). If this is not what you meant, please clarify your question.

permanent link

answered 24 Jul '15, 15:38

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

tshark -a filesize:10000 -b files:20 -i < INTERFACE > -w < BASE_FILE_NAME.pcapng >

will give you a rotating set of 20 files each of which will be (if my math is correct) 10 mb in size. The same thing can be accomplished using -b in place of the -a. [Up to this point I have found no difference between the two.]

permanent link

answered 03 Aug '15, 08:47

greenfreq's gravatar image

greenfreq
66127
accept rate: 33%

edited 03 Aug '15, 08:48

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×238
×97

question asked: 24 Jul '15, 14:51

question was seen: 10,641 times

last updated: 03 Aug '15, 08:48

p​o​w​e​r​e​d by O​S​Q​A