The command line to schedule a ten minute capture for packets on interface 2 from or destined for IP 192.168.1.14 would be:
<absolute path>\tshark -i 2 -a duration:7200 -x -f "host 192.168.1.14" -w c:\tshoot\1_16.pcap
“i 2” means interface 2. Run “tshark –D” to see a list of the indexed interfaces available for capture.
7200 is the number of seconds to run the trace
-w directs the output to a file at the path and filename you enter.
You can add filters onto the –f argument. See tshark.html in the Wireshark® installation directory for help.
On Windows, you can put this in a file with a .bat extension and schedule it in the Windows Task Scheduler (under Administrative Tools). It might take several seconds for the Task Scheduler to launch. Set the task to run with an admin user’s login and password. Set it to run whether the user is logged in or not. Run with the highest privileges. You will create a new trigger that is just the time when you want it to run. You can test it by running it manually before the scheduled time. You can export the task to an xml file to for the customer to edit and import.
You can cron the task in Linux and Solaris. You need to create the output directory first. The following line in your /etc/crontab will run the capture on April eighth at 11:36 PM:
36 22 08 04 * /usr/sbin/tshark –I 1 -a duration:7200 -x -f "host 192.168.1.14" –w /usr/wireshark_output/4_8_14.capture.pcap
tshark also has an option for rotating output files. From the tshark man page:
-b <capture ring buffer option>
Cause TShark to run in "multiple files" mode. In "multiple files" mode, TShark will write to several capture files. When the first capture file fills up, TShark will switch writing to the next file and so on.