I've been reading the docs here:
trying to find a way to stop a capture if no packet has been received for at least X seconds
I know I can put an absolute timeout in place using the "-a duration" flags...but ideally I would be able to run:
tshark host <source_ip> -w dump.pcap
Such that the capture stopped when no traffic from that source IP had been received for X seconds. Any ideas....?
asked 25 Oct '16, 10:11
Unfortunately that's not currently supported.
You could raise an enhancement request on the Wireshark Bugzilla (if there isn't a similar one already).
answered 25 Oct '16, 10:32