Wireshark mailing list archives
Re: proto.h extension
From: "John Dill" <John.Dill () greenfieldeng com>
Date: Fri, 8 May 2015 09:07:04 -0400
Message: 2 Date: Thu, 7 May 2015 17:58:46 +0000 (UTC) From: Christopher Maynard <Christopher.Maynard () igt com> To: wireshark-dev () wireshark org Subject: Re: [Wireshark-dev] proto.h extension Message-ID: <loom.20150507T193823-35 () post gmane org> Content-Type: text/plain; charset=us-ascii John Dill <John.Dill@...> writes:On a unrelated note, is there some way to begin a capture in wireshark (orone of its tools) when a packetmatches a filter expression? For example, I have a specific packet thattriggers some process on thesystem, and I want to capture for the next 2 minutes and then stop.This is not directly possible, no. However, you can script something together to make this work by utilizing 2 instances of dumpcap, for example. The first instance would wait for the capture event of interest, then terminate, which would allow the second instance to be started up with the capture settings you desire (e.g., capturing for 2 minutes, etc.). If you're running on Windows, I wrote a dumpcap.bat batch file to help with this, which I originally announced on 31 May 2014 here: https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html. It supports 4 modes of operation (including triggered captures), supports e-mail notification of the event with the help of mailsend, and has hooks for user-defined actions. The latest published version of the batch file is currently available under the Scripts section of https://wiki.wireshark.org/Tools. It is mostly self-documented, but you can read more about it from the link above or from some questions on ask.wireshark.org where I thought the batch file might possibly come in handy for other folks: 1) https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture- upon-http-error-404 2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger 3) https://ask.wireshark.org/questions/26434/sound-alert - Chris P.S. Keep in mind that trigger mode might not be good enough though, as capturing won't start until AFTER the event occurs. If you want to be sure you capture from the event onwards, you might want to run the batch file in "Dumpcap+Event" Mode and use a ring buffer to do continuous capturing until the event occurs and then just set the "Event kills dumpcap?" option to "Y" along with "Delay before kill/action" to 120 seconds in your case.
Thank you, I will take a look and give it a try. Best regards, John D.
<<winmail.dat>>
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- proto.h extension John Dill (May 07)
- Re: proto.h extension Christopher Maynard (May 07)
- Re: proto.h extension Guy Harris (May 07)
- <Possible follow-ups>
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Evan Huus (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Jeff Morriss (May 08)
- Re: proto.h extension Alexis La Goutte (May 10)
- Re: proto.h extension Guy Harris (May 08)