Hi, I've been reading the docs here: https://www.wireshark.org/docs/man-pages/tshark.html trying to find a way to stop a capture if no packet has been received for at least X seconds I know I can put an absolute timeout in place using the "-a duration" flags...but ideally I would be able to run: tshark host <source_ip> -w dump.pcap Such that the capture stopped when no traffic from that source IP had been received for X seconds. Any ideas....? asked 25 Oct '16, 10:11  dbrb2 |
One Answer:
Unfortunately that's not currently supported. You could raise an enhancement request on the Wireshark Bugzilla (if there isn't a similar one already). answered 25 Oct '16, 10:32  grahamb ♦ I might do that, thanks Another option - not quite the same, but in my case with a similar outcome, would be to combine a packet limit -c with a duration That would presumably quit either when X matching packets were received, or when the duration was hit, whichever came first... (25 Oct '16, 11:02) dbrb2 |
Just wondering, what's the use case?
I'm checking comms on a number of video streams. I can start each stream, and tshark, in parallel - but the stream may take a few seconds to join - so Ineed to capture with tshark for long enough to get a representative sample of packets, but not so long I'm wasting time...
I think I will do this by combining packet count with duration...