Is there a way to truncate the capture log to say 4 or 6 hours? I need to diagnose a problem that happens randomly every 4-14 days, and would like to have a capture of the data happening at the moment of the event without crushing the computer running Wireshark for 14 days straight... asked 24 Aug '11, 06:47  cshep70 |
One Answer:
You can use dumpcap (included with Wireshark) for that purpose. I have kept dumpcap running for months in that manner. The clue is to make use of the ringbuffer functionality. You will want to use something like: This will create a 4GB ringbuffer (128 files of 32MB). This way you will never run out of disk space and keep only the last 4GB of capture data until the problem occurs and the dumpcap command is stopped (by ctrl+C). answered 24 Aug '11, 06:58  SYN-bit ♦♦ |
Much Obliged! That's what I had been looking for.