![]() ![]() When the first capture file fills up, TShark will switch writing to the next file and so on. tshark is a command-line-based protocol analyzer tool used to capture and analyze network traffic from a live network. In "multiple files" mode, TShark will write to several capture files. From the tshark man page:Ĭause TShark to run in "multiple files" mode. Tshark also has an option for rotating output files. The following line in your /etc/crontab will run the capture on April eighth at 11:36 PM:ģ6 22 08 04 * /usr/sbin/tshark –I 1 -a duration:7200 -x -f "host 192.168.1.14" –w /usr/wireshark_output/4_8_14.capture.pcap You need to create the output directory first. You can cron the task in Linux and Solaris. You can export the task to an xml file to for the customer to edit and import. You can test it by running it manually before the scheduled time. You will create a new trigger that is just the time when you want it to run. Set it to run whether the user is logged in or not. For example the following command saves the output to a file named dump.pcap in /tmp directory. Set the task to run with an admin user’s login and password. Use -w option to tell TShark to dump the output to a file. It might take several seconds for the Task Scheduler to launch. bat extension and schedule it in the Windows Task Scheduler (under Administrative Tools). On Windows, you can put this in a file with a. See tshark.html in the Wireshark® installation directory for help. This is pretty cool as it provides a lot more functionality. You can add filters onto the –f argument. Tshark actually uses the Wireshark Display Filter syntax for both capture and display. w directs the output to a file at the path and filename you enter. Run “tshark –D” to see a list of the indexed interfaces available for capture.ħ200 is the number of seconds to run the trace The command line to schedule a ten minute capture for packets on interface 2 from or destined for IP 192.168.1.14 would be:
0 Comments
Leave a Reply. |