The following works to perform a network trace for 1 hour (-a duration:3600) and to create multiple files of 10MB in size (-b filesize:10240). Files will have a “test” (-w test) prefix. The “-p” is to capture in promiscus mode. This uses less system resources than trying to achieve the same thing using the wireshark gui.<\/p>\n
dumpcap -a duration:3600 -b filesize:10240 -w test -p<\/p>\n
To merge all the captures in one file:<\/p>\n
mergecap -w bigfile littlefiles<\/p>\n
For example:<\/p>\n
mergecap -w all.cap one.cap two.cap etc.cap<\/p>\n
Or:<\/p>\n
mergecap -w all.cap small*.cap<\/p>\n
To use tshark (installed with wireshark) to filter a capture without using the GUI (much more efficient):<\/p>\n
tshark -R “anydisplayfilters<\/em>” -r inputfilename<\/em> -w outputfilename<\/em> <\/p>\n For example, here are two display filter examples. They are similar to the ones used in wireshark GUI. I kept trying to tcpdump filters, which work fine for capturing.: Filter notes: The following works to perform a network trace for 1 hour (-a duration:3600) and to create multiple files of 10MB in size (-b filesize:10240). Files will have a “test” (-w test) prefix. The “-p” is to capture in promiscus mode. This uses less system resources than trying to achieve the same thing using the wireshark [&hellip<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[106,105],"class_list":["post-152","post","type-post","status-publish","format-standard","hentry","category-documentation","tag-tshark","tag-wireshark"],"share_on_mastodon":{"url":"","error":""},"_links":{"self":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/152","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=152"}],"version-history":[{"count":4,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions"}],"predecessor-version":[{"id":1496,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=\/wp\/v2\/posts\/152\/revisions\/1496"}],"wp:attachment":[{"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=152"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=152"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jim-zimmerman.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=152"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\ntshark -R “ip.addr == 192.168.34.51” -r in.cap -w out-filtered.cap
\ntshark -R “ip.addr == 192.168.34.0\/24” -r in.cap -w out-filtered.cap <\/p>\n
\nHow to filter a time range:
\n(frame.time >= “mmm dd, yyyy hh:mm:ss”) && (frame.time <= \"mmm dd, yyyy hh:mm:ss\")\n<\/p>\n","protected":false},"excerpt":{"rendered":"