This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark rotating pcap files

0

Would it be possible to have tshark generate rotating pcap files just like this?

I could not find much documentation about it.

asked 24 Jul '15, 14:51

Bob328080's gravatar image

Bob328080
11224
accept rate: 0%


3 Answers:

1

Look at the tshark options for capture stop & output, similar to tcpdump, but not quite the same:

Capture stop conditions:                                                     
  -c <packet count>        stop after n packets (def: infinite)              
  -a <autostop cond.> ...  duration:NUM - stop after NUM seconds             
                           filesize:NUM - stop this file after NUM KB        
                              files:NUM - stop after NUM files               
Capture output:                                                              
  -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs 
                           filesize:NUM - switch to next file after NUM KB   
                              files:NUM - ringbuffer: replace after NUM files

You're probably looking for the -b ringbuffer option.

answered 24 Jul '15, 15:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

0

I am not sure I understand the question properly, but if I did:

Please always remember to use -? or --help, according to "tshark -?" output:

Capture output:
-b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                         filesize:NUM - switch to next file after NUM KB
                         files:NUM - ringbuffer: replace after NUM files

-b duration:600 files 7 will give you a 70 minute ring buffer (rotation). If this is not what you meant, please clarify your question.

answered 24 Jul '15, 15:38

DarrenWright's gravatar image

DarrenWright
216141520
accept rate: 26%

0

tshark -a filesize:10000 -b files:20 -i < INTERFACE > -w < BASE_FILE_NAME.pcapng >

will give you a rotating set of 20 files each of which will be (if my math is correct) 10 mb in size. The same thing can be accomplished using -b in place of the -a. [Up to this point I have found no difference between the two.]

answered 03 Aug '15, 08:47

greenfreq's gravatar image

greenfreq
66127
accept rate: 33%

edited 03 Aug '15, 08:48