This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Rolling window during capture

0

Is it possible to capture packets into a first-in-first-out queue of user-defined duration?

It would be extremely handy to leave Wireshark capturing packets unattended - possibly days - until an application crashes. By defining the duration to be n hours, we would have almost n hours to reach the Wireshark workstation and save the capture before losing the failure event.

asked 02 Mar '16, 16:18

pbyhistorian's gravatar image

pbyhistorian
6112
accept rate: 0%


One Answer:

0

Yes, the capture options dialog provides several options when capturing, including automatically stopping the capture after a specified duration of time.

That said, if you intend to capture for days, I wouldn't recommend using Wireshark itself for capturing, but its command-line companion dumpcap tool instead, which is what Wireshark uses under the hood for capturing anyway. The main reasons for using dumpcap instead of Wireshark are for better performance and to avoid running out of memory. Dumpcap allows you to specify capture options, just as Wireshark does, including limiting the capture duration using either the -a duration:value or -b duration:value options. Use the one that best suits your needs.

By the way, for your use case, there doesn't really appear to be any particularly compelling need to stop dumpcap after a specified duration, I don't think. Instead you could configure it to capture forever, making use of the ringbuffer options to avoid any individual files from growing too large, and then only stopping the capture manually whenever you've detected that the application has crashed.

answered 02 Mar '16, 20:34

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%