Long-Term recordings with Wireshark
by flandersen
Posted on September 16, 2016
Recording the network traffic via the Wireshark GUI results in a single big file. This is unpractical for obvious reasons. By using the terminal program TShark.exe in the Wireshark program folder, you start a customized recording.
tshark -i 1 -a duration:86400 -b duration:3600 -w "c:\recordings\new.pcap"The parameters have the following meaning:
| Parameter | Comment |
|---|---|
| -a duration:<interval> | defines the recording stop condition. In this example the maximum interval to record is 1 day (86400 sec.) |
| -b duration:<interval> | defines the size of the ring buffer. After exceeding the limit, a file switch happens. |
| -i <interface> | interface number |
| -w <filepath> | target file |
The resulting filenames look the following:
test_00001_20160914102510.pcap
test_00002_20160914112510.pcap
test_00003_20160914122510.pcap
...
test_00024_20160915102510.pcap
Study the help. There are some interesting possibilities.
Link: https://www.wireshark.org/docs/man-pages/tshark.html
Previous article