Wireshark mailing list archives
Re: proto.h extension
From: "Turney, Cal" <cal.turney () emc com>
Date: Fri, 8 May 2015 20:22:34 +0000
On Thu, 7 May 2015 John Dill <John.Dill@...> wrote:On a unrelated note, is there some way to begin a capture in wireshark (orone of its tools) when a packetmatches a filter expression? For example, I have a specific packet thattriggers some process on thesystem, and I want to capture for the next 2 minutes and then stop.
On Thu, 7 May 2015 Christopher Maynard <Christopher.Maynard () igt com> wrote:
This is not directly possible, no. However, you can script something together to make this work by utilizing 2 instances of dumpcap, for example. The first instance would wait for the capture event of interest, then terminate, which would allow the second instance to be started up with the capture settings you desire (e.g., capturing for 2 minutes, etc.). If you're running on Windows, I wrote a dumpcap.bat batch file to help with this, which I originally announced on 31 May 2014 here: https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html. It supports 4 modes of operation (including triggered captures), supports e- mail notification of the event with the help of mailsend, and has hooks for user-defined actions. The latest published version of the batch file is currently available under the Scripts section of https://wiki.wireshark.org/Tools. It is mostly self-documented, but you can read more about it from the link above or from some questions on ask.wireshark.org where I thought the batch file might possibly come in handy for other folks: 1) https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture- upon-http-error-404 2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger 3) https://ask.wireshark.org/questions/26434/sound-alert - Chris P.S. Keep in mind that trigger mode might not be good enough though, as capturing won't start until AFTER the event occurs. If you want to be sure you capture from the event onwards, you might want to run the batch file in "Dumpcap+Event" Mode and use a ring buffer to do continuous capturing until the event occurs and then just set the "Event kills dumpcap?" option to "Y" along with "Delay before kill/action" to 120 seconds in your case.
Here's an approach that would show the transition from working to failing with prior and subsequent traffic. Use Wireshark's "Use multiple files" feature, or tshark's equivalent feature. Specify the number and size of captures ("splits") to obtain the transition from working to failure without being overwritten. Have the user run a script with the following arguments: * The PID of the Wireshark or tshark process * How the event should be triggered: (a) monitor a specified log file for a specified error message or text or (b) run tshark with a specified filter against the latest *complete* split With its output redirected to a file which is checked for a non-zero size or message. Example: Filter for a STATUS_FILE_LOCK_CONFLICT error: tshark -n -R "smb.nt_status == 0xc0000054" -r smb2_locking_andx.cap > <date-time>.txt If the event occurs, the script should terminate Wireshark or tshark. * [Optional] Specify the number of splits to retain prior to and/or following the event. Delete the rest. * The interval at which the log file or tshark output file should be checked * How the user is to be notified: email, SNMP trap, a popup with sound, or a building-wide an air raid siren. The notification should include the name of the split containing the event its frame number. * [Optional] gzip *each* split, FTP them to a specified address, email a person, internal/external support group, or both indicating that the splits are available for analysis, and, if multiple splits are retained, the name of the split contaning the event and its frame number. I wish I had the time to work on this but I've been assigned >2 years of development projects. Perhaps someone else would be interested. I vote for Chris. =) -- Cal ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- proto.h extension John Dill (May 07)
- Re: proto.h extension Christopher Maynard (May 07)
- Re: proto.h extension Guy Harris (May 07)
- <Possible follow-ups>
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension John Dill (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Evan Huus (May 08)
- Re: proto.h extension Guy Harris (May 08)
- Re: proto.h extension Jeff Morriss (May 08)
- Re: proto.h extension Alexis La Goutte (May 10)
- Re: proto.h extension Guy Harris (May 08)