This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to capture packets into a first-in-first-out queue of user-defined duration?

It would be extremely handy to leave Wireshark capturing packets unattended - possibly days - until an application crashes. By defining the duration to be n hours, we would have almost n hours to reach the Wireshark workstation and save the capture before losing the failure event.

asked 02 Mar '16, 16:18

pbyhistorian's gravatar image

pbyhistorian
6112
accept rate: 0%


Yes, the capture options dialog provides several options when capturing, including automatically stopping the capture after a specified duration of time.

That said, if you intend to capture for days, I wouldn't recommend using Wireshark itself for capturing, but its command-line companion dumpcap tool instead, which is what Wireshark uses under the hood for capturing anyway. The main reasons for using dumpcap instead of Wireshark are for better performance and to avoid running out of memory. Dumpcap allows you to specify capture options, just as Wireshark does, including limiting the capture duration using either the -a duration:value or -b duration:value options. Use the one that best suits your needs.

By the way, for your use case, there doesn't really appear to be any particularly compelling need to stop dumpcap after a specified duration, I don't think. Instead you could configure it to capture forever, making use of the ringbuffer options to avoid any individual files from growing too large, and then only stopping the capture manually whenever you've detected that the application has crashed.

permanent link

answered 02 Mar '16, 20:34

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×4

question asked: 02 Mar '16, 16:18

question was seen: 1,668 times

last updated: 02 Mar '16, 20:34

p​o​w​e​r​e​d by O​S​Q​A