Wireshark mailing list archives
Re: proto.h extension
From: Christopher Maynard <Christopher.Maynard () igt com>
Date: Thu, 7 May 2015 17:58:46 +0000 (UTC)
John Dill <John.Dill@...> writes:
On a unrelated note, is there some way to begin a capture in wireshark (or
one of its tools) when a packet
matches a filter expression? For example, I have a specific packet that
triggers some process on the
system, and I want to capture for the next 2 minutes and then stop.
This is not directly possible, no. However, you can script something together to make this work by utilizing 2 instances of dumpcap, for example. The first instance would wait for the capture event of interest, then terminate, which would allow the second instance to be started up with the capture settings you desire (e.g., capturing for 2 minutes, etc.). If you're running on Windows, I wrote a dumpcap.bat batch file to help with this, which I originally announced on 31 May 2014 here: https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html. It supports 4 modes of operation (including triggered captures), supports e-mail notification of the event with the help of mailsend, and has hooks for user-defined actions. The latest published version of the batch file is currently available under the Scripts section of https://wiki.wireshark.org/Tools. It is mostly self-documented, but you can read more about it from the link above or from some questions on ask.wireshark.org where I thought the batch file might possibly come in handy for other folks: 1) https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture- upon-http-error-404 2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger 3) https://ask.wireshark.org/questions/26434/sound-alert - Chris P.S. Keep in mind that trigger mode might not be good enough though, as capturing won't start until AFTER the event occurs. If you want to be sure you capture from the event onwards, you might want to run the batch file in "Dumpcap+Event" Mode and use a ring buffer to do continuous capturing until the event occurs and then just set the "Event kills dumpcap?" option to "Y" along with "Delay before kill/action" to 120 seconds in your case. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- proto.h extension John Dill (May 07)
- Re: proto.h extension Christopher Maynard (May 07)
- Re: proto.h extension Guy Harris (May 07)
- <Possible follow-ups>
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Evan Huus (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Jeff Morriss (May 08)
- Re: proto.h extension Alexis La Goutte (May 10)
- Re: proto.h extension Guy Harris (May 08)