Re: automate capture feature

[Phil Paradis <Phil.Paradis () unitedtote com>]

Rotating the files every minute is going to generate a LOT of files; if the capture is going to run for any significant 
length of time, I'd suggest using a file size limit and/or a much longer time limit. Some filesystems will choke on 
directories with huge numbers of files in them; something to keep in mind when determining how many files to keep.

Captured data is written to disk pretty much as it's received (there is a delay of several seconds due to write caching 
by the OS) so that shouldn't be a major concern; if the box crashes during a capture, you shouldn't lose more than a 
few seconds worth of captured data. 

If you plan to run your capture for a long time, I'd suggest using dumpcap instead of tshark/wireshark; dumpcap simply 
writes the packets to disk, while the *shark tools also analyze them in real-time. As a result, the *shark tools will 
eventually run out of RAM trying to maintain state information over very long periods of time.

A final point to note is that for very long-running captures (many days) on Windows boxes, the accuracy of timestamps 
will be adversely affected. This is a limitation of the mechanism used by WinPcap to generate the timestamps with a 
high level of precision. Rebooting the box periodically will keep the timestamps from getting too far out of sync with 
reality.

On Apr 16, 2010, at 11:44 PM, Martin Visser wrote:

> While you can do what Tal says, you can do this easily in Wireshark. Before you capture, Capture->Options menu.  
> Under the Capture File(s) section, enter a File name, example mycapture.pcap and then select the Multiple Files 
> checkbox and only select Next File every 1 minute. You can option specify when you want to stop.
>
> Wireshark then will create a new file every minute called something like mycapture_00001_20100417131441.pcap (where 
> the first set of digits is a serial number and the second is contracted form of the date.
>
> Simple!
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>
> On Sat, Apr 17, 2010 at 4:14 AM, Tal Bar-Or <tbaror () gmail com> wrote: says
> Hi,
>
> i would use first Tshark and then use file rotation( file ring buffer) lets say 2 files for 1 min and always query 
> the last file not active.
> Next i would phrase (regexp) data needed and write it to xml and send it to central location display it via web 
> console using Flex technology.
> Regsrds
>
>
> On Fri, Apr 16, 2010 at 5:38 PM, sachindeo v chavan <sachin_chavan () yahoo com> wrote:
> Hi all,
>
> I have a query on wireshark. I have version 1.2.7.
> How can I repetitively capture network and save the capture at regular interval say every 1 min while the capture is 
> going on?
>
> In other words, save the captured info on the fly? that is, save every 1 min while the capture is going on.
>
> regards
> sachin
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
>
>
> -- 
> Tal Bar-or
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
>
> <ATT00001..txt>

--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis () unitedtote com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe