Long-Term recordings with Wireshark

Long-Term recordings with Wireshark

by flandersen

Posted on September 16, 2016

Recording the network traffic via the Wireshark GUI results in a single big file. This is unpractical for obvious reasons. By using the terminal program TShark.exe in the Wireshark program folder, you start a customized recording.

tshark -i 1 -a duration:86400 -b duration:3600 -w "c:\recordings\new.pcap"

The parameters have the following meaning:

Parameter Comment
-a duration:<interval> defines the recording stop condition. In this example the maximum interval to record is 1 day (86400 sec.)
-b duration:<interval> defines the size of the ring buffer. After exceeding the limit, a file switch happens.
-i <interface> interface number
-w <filepath> target file

The resulting filenames look the following:


Study the help. There are some interesting possibilities.
Link: https://www.wireshark.org/docs/man-pages/tshark.html