This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Command line assistance please

0

Hopefully this isn't a completely stupid q: But I'm hopeful someone with more knowledge than me will be able to answer this relatively 'easily'?

I wish to create a command line structure which allow me to create a user facing shortcut which does the following.

Capture on a specific interface & output to a rolling set of capture files & for this to happen in the background. I'm troubleshooting an issue & need for the affected user/s to be able to simply start this off.

Presently I'm kind of stuck at wireshark -b duration:300 files:test -ringbuffer:12 & cannot seem to work out how to set the output file type and/or directory for these to be placed in.

I can achieve this easily using the main interface, but the idea is for a normal user to simply double click a shortcut & then carry on with their usual activity (with the shark running in the background).

Any help/guidance would be greatly appreciated! Daniel

asked 20 Oct '15, 08:13

danielgilbey's gravatar image

danielgilbey
1115
accept rate: 0%

One Answer:

1

Instead of wireshark, please use dumpcap, but with the right arguments ;-)

I never heard of -ringbuffer:12, where did you get that from?

dumpcap -ni interface_id -w output.pcap -b filesize:10000 -b files:50 -f "host x.x.x.x and port yyyy"

Please replace the interface_id with the ID of the interface you want to capture on. dumpcap -D -M will tell you.

That command will write 50 files, each 10 Mbyte large in a ring-buffer style. Meaning: file #51 will overwrite file #1 and so on. The command will never stop until you press CTRL-C.

If you want the command to stop after n seconds, you should use -b duration:xxxx instead -b files.

Regards
Kurt

answered 20 Oct '15, 10:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 20 Oct '15, 10:23

Good morning Kurt,

Thanks, I've done some (very quick) testing with the method you've described & think this is what I'll end up building out. Greatly appreciated!

Ref the "-ringbuffer:12" I got that from the help notes I'd found whilst 'googling' about...

Anyway, thanks again! Daniel

(21 Oct '15, 01:01) danielgilbey

For anyone further interested, this is the .bat that I've come up with regards this.

start /min cmd.exe /c "dumpcap -ni 2 -w "C:\OutputDirectory\output.pcap" -b filesize:10000 -b files:40"

(21 Oct '15, 04:13) danielgilbey

Thanks and good luck!

(21 Oct '15, 04:45) Kurt Knochner ♦