Rotating the files every minute is going to generate a LOT of files; if the capture is going to run for any significant length of time, I'd suggest using a file size limit and/or a much longer time limit. Some filesystems will choke on directories with huge numbers of files in them; something to keep in mind when determining how many files to keep.
Captured data is written to disk pretty much as it's received (there is a delay of several seconds due to write caching by the OS) so that shouldn't be a major concern; if the box crashes during a capture, you shouldn't lose more than a few seconds worth of captured data.
If you plan to run your capture for a long time, I'd suggest using dumpcap instead of tshark/wireshark; dumpcap simply writes the packets to disk, while the *shark tools also analyze them in real-time. As a result, the *shark tools will eventually run out of RAM trying to maintain state information over very long periods of time.
A final point to note is that for very long-running captures (many days) on Windows boxes, the accuracy of timestamps will be adversely affected. This is a limitation of the mechanism used by WinPcap to generate the timestamps with a high level of precision. Rebooting the box periodically will keep the timestamps from getting too far out of sync with reality.
On Apr 16, 2010, at 11:44 PM, Martin Visser wrote:
> While you can do what Tal says, you can do this easily in Wireshark. Before you capture, Capture->Options menu. Under the Capture File(s) section, enter a File name, example mycapture.pcap and then select the Multiple Files checkbox and only select Next File every 1 minute. You can option specify when you want to stop.
>
> Wireshark then will create a new file every minute called something like mycapture_00001_20100417131441.pcap (where the first set of digits is a serial number and the second is contracted form of the date.
>
> Simple!
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx
>
>
> On Sat, Apr 17, 2010 at 4:14 AM, Tal Bar-Or <tbaror@xxxxxxxxx> wrote: says
> Hi,
>
> i would use first Tshark and then use file rotation( file ring buffer) lets say 2 files for 1 min and always query the last file not active.
> Next i would phrase (regexp) data needed and write it to xml and send it to central location display it via web console using Flex technology.
> Regsrds
>
>
> On Fri, Apr 16, 2010 at 5:38 PM, sachindeo v chavan <sachin_chavan@xxxxxxxxx> wrote:
> Hi all,
>
> I have a query on wireshark. I have version 1.2.7.
> How can I repetitively capture network and save the capture at regular interval say every 1 min while the capture is going on?
>
> In other words, save the captured info on the fly? that is, save every 1 min while the capture is going on.
>
> regards
> sachin
>
>
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> --
> Tal Bar-or
>
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> <ATT00001..txt>
--
Phillip Paradis / Network Engineer / United Tote
Phone +1 502 509 7445 / Email phillip.paradis@xxxxxxxxxxxxxx
