Sometimes issues arise on the network at predictable times of the day when no one will be available to troubleshoot them. This document explains how to use Wireshark’s® tshark to schedule a packet capture for automatic data collection for later analysis.
If you anticipate that something will happen at a certain time of day, you can schedule a packet capture using the tshark executable in the Wireshark®installation directory. The command line to schedule a ten minute capture for packets on interface 2 from or destined for IP 192.168.1.14 would be:
<absolute path>\tshark -i 2 -a duration:7200 -x -f "host 192.168.1.14" -w c:\tshoot\1_16.pcap
“i 2” means interface 2. Run “tshark –D” to see a list of the indexed interfaces available for capture.
7200 is the number of seconds to run the trace
-w directs the output to a file at the path and filename you enter.
You can add filters onto the –f argument. See tshark.html in the Wireshark® installation directory for help.
On Windows, you can put this in a file with a .bat extension and schedule it in the Windows Task Scheduler (under Administrative Tools). It might take several seconds for the Task Scheduler to launch. Set the task to run with an admin user’s login and password. Set it to run whether the user is logged in or not. Run with the highest privileges. You will create a new trigger that is just the time when you want it to run. You can test it by running it manually before the scheduled time. You can export the task to an xml file to for the customer to edit and import.
You can cron the task in Linux and Solaris. You need to create the output directory first. The following line in your /etc/crontab will run the capture on April eighth at 11:36 PM:
36 22 08 04 * /usr/sbin/tshark –I 1 -a duration:7200 -x -f "host 192.168.1.14" –w /usr/wireshark_output/4_8_14.capture.pcap
Tshark also has an option for rotating output files. From the tshark man page:
-b <capture ring buffer option>
Cause TShark to run in "multiple files" mode. In "multiple files" mode, TShark will write to several capture files. When the first capture file fills up, TShark will switch writing to the next file and so on.
Note: Wireshark® is available under the GNU General Public License version 2. It is available for download at http://www.wireshark.org/download.html. CA Technologies Inc does not endorse Wireshark®.