Wireshark mailing list archives

Re: proto.h extension

From: "Turney, Cal" <cal.turney () emc com>
Date: Fri, 8 May 2015 20:22:34 +0000

On Thu, 7 May 2015 John Dill <John.Dill@...> wrote:

On a unrelated note, is there some way to begin a capture in wireshark
(or

one of its tools) when a packet

matches a filter expression?  For example, I have a specific packet
that

triggers some process on the

system, and I want to capture for the next 2 minutes and then stop.


On Thu, 7 May 2015 Christopher Maynard <Christopher.Maynard () igt com> wrote:


This is not directly possible, no.  However, you can script something
together to make this work by utilizing 2 instances of dumpcap, for
example.
 The first instance would wait for the capture event of interest, then
terminate, which would allow the second instance to be started up with the
capture settings you desire (e.g., capturing for 2 minutes, etc.).

If you're running on Windows, I wrote a dumpcap.bat batch file to help
with this, which I originally announced on 31 May 2014 here:
https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html.  It
supports 4 modes of operation (including triggered captures), supports e-
mail notification of the event with the help of mailsend, and has hooks
for user-defined actions.  The latest published version of the batch file
is currently available under the Scripts section of
https://wiki.wireshark.org/Tools.  It is mostly self-documented, but you
can read more about it from the link above or from some questions on
ask.wireshark.org where I thought the batch file might possibly come in
handy for other folks:

1)
https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture-
upon-http-error-404
2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger
3) https://ask.wireshark.org/questions/26434/sound-alert

- Chris
P.S. Keep in mind that trigger mode might not be good enough though, as
capturing won't start until AFTER the event occurs.  If you want to be
sure you capture from the event onwards, you might want to run the batch
file in "Dumpcap+Event" Mode and use a ring buffer to do continuous
capturing until the event occurs and then just set the "Event kills
dumpcap?" option to "Y"
along with "Delay before kill/action" to 120 seconds in your case.

Here's an approach that would show the transition from working to failing with prior and subsequent traffic. Use
Wireshark's "Use multiple files" feature, or tshark's equivalent feature. Specify the number and size of captures
("splits") to obtain the transition from working to failure without being overwritten. Have the user run a script with
the following arguments:

* The PID of the Wireshark or tshark process
* How the event should be triggered:
(a) monitor a specified log file for a specified error message or text
or
(b) run tshark with a specified filter against the latest *complete* split
With its output redirected to a file which is checked for a non-zero
size or message.
Example: Filter for a STATUS_FILE_LOCK_CONFLICT error:
tshark -n -R "smb.nt_status == 0xc0000054" -r smb2_locking_andx.cap > <date-time>.txt
If the event occurs, the script should terminate Wireshark or tshark.
* [Optional] Specify the number of splits to retain prior to and/or following
the event. Delete the rest.
* The interval at which the log file or tshark output file should be checked
* How the user is to be notified: email, SNMP trap, a popup with sound,
or a building-wide an air raid siren. The notification should include
the name of the split containing the event its frame number.
* [Optional] gzip *each* split, FTP them to a specified address, email a
person, internal/external support group, or both indicating that the
splits are available for analysis, and, if multiple splits are retained,
the name of the split contaning the event and its frame number.

I wish I had the time to work on this but I've been assigned >2 years of development projects. Perhaps someone else
would be interested. I vote for Chris. =)

-- Cal

___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

proto.h extension John Dill (May 07)
- Re: proto.h extension Christopher Maynard (May 07)
- Re: proto.h extension Guy Harris (May 07)
- <Possible follow-ups>
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension John Dill (May 08)
  - Re: proto.h extension Guy Harris (May 08)
    - Re: proto.h extension Evan Huus (May 08)
    - Re: proto.h extension Guy Harris (May 08)
    - Re: proto.h extension Jeff Morriss (May 08)
    - Re: proto.h extension Alexis La Goutte (May 10)
- Re: proto.h extension Turney, Cal (May 08)
- Re: proto.h extension John Dill (May 11)