Hi there, is it possibe to set a trigger to start the caption? I mean, wireshark is running and waiting for an condition, e.g. a packet to a strange socket, and then starts with captureing in a file (with stop-condition set in the Capture-Interface-Options) or a ringbuffer. Thanks for Your Support, Bernhard Hauser asked 02 Dec '15, 13:33  Uri |
One Answer:
No, that's currently not possible. Wireshark has no "observer" mode where it can look for packet conditions without capturing them, and then start to capture when something happens. It always captures packets to inspect them. So what you could try to do is have Wireshark (or better: dumpcap) do a ring buffer capture, read the capture files when they're closed (on move to the next) and then check for the condition you want. If you find it, terminate the dumpcap process. See the similar question about that here: https://ask.wireshark.org/questions/48119/stop-the-trace-from-external-event You'll have to figure out the "process complete capture files and then terminate dumpcap" script yourself though. answered 02 Dec '15, 13:40  Jasper ♦♦ |
OK, I understand. Do You know if the trigger-funktion or "observer" will ever come? Danke Uri!