This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark rotating pcap files

0

Would it be possible to have tshark generate rotating pcap files just like this?

I could not find much documentation about it.

asked 24 Jul '15, 14:51

Bob328080's gravatar image

Bob328080
11224
accept rate: 0%

3 Answers:
active answersoldest answersnewest answerspopular answers
1

Look at the tshark options for capture stop & output, similar to tcpdump, but not quite the same:

Capture stop conditions:                                                     
  -c <packet count>        stop after n packets (def: infinite)              
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds             
                           filesize:NUM - stop this file after NUM KB        
                              files:NUM - stop after NUM files               
Capture output:                                                              
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs 
                           filesize:NUM - switch to next file after NUM KB   
                              files:NUM - ringbuffer: replace after NUM files

You're probably looking for the -b ringbuffer option.

permanent link

answered 24 Jul '15, 15:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

I am not sure I understand the question properly, but if I did:

Please always remember to use -? or --help, according to "tshark -?" output:

Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                         filesize:NUM - switch to next file after NUM KB
                         files:NUM - ringbuffer: replace after NUM files

-b duration:600 files 7 will give you a 70 minute ring buffer (rotation). If this is not what you meant, please clarify your question.

permanent link

answered 24 Jul '15, 15:38

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

0

tshark -a filesize:10000 -b files:20 -i < INTERFACE > -w < BASE_FILE_NAME.pcapng >

will give you a rotating set of 20 files each of which will be (if my math is correct) 10 mb in size. The same thing can be accomplished using -b in place of the -a. [Up to this point I have found no difference between the two.]

permanent link

answered 03 Aug '15, 08:47

greenfreq's gravatar image

greenfreq
66127
accept rate: 33%

edited 03 Aug '15, 08:48

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×238
×97

question asked: 24 Jul '15, 14:51

question was seen: 10,642 times

last updated: 03 Aug '15, 08:48

Related questions

Batch file to read pcap file ? how

Write Gzip Encoded HTTP as Inflated in PCAP File

Covert the .pcap file to a .csv file using tshark

After converting pcap to text , I want only data part in text file how can i do that?

Possible to somehow mark a packet permanently?

pcap to text

Capturing packet captures live

Tshark how to capture to a file and print text on screen

How to preserve timestamps in tshark output file?

how to add data length column in wireshark display or plot payload length vs packet no

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A