[Winpcap-users] Question about record to multiple files
Guy Harris
guy at alum.mit.edu
Wed Nov 2 12:41:08 PDT 2011
On Nov 2, 2011, at 12:25 PM, j.snelders wrote:
> On Wed, 2 Nov 2011 19:58:23 +0200 Tal Attaly wrote:
>> Hi,
>>
>> How can i make an automatic 'split' of the recorded file, so the recording
>> will be saved in multiple files? (For example- start record to a new file
>> as soon as the current file exceeds 25 MB / 60 minutes past)
>
> Wireshark
> http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureOptions.html
> Go to:
> Capture | Options
>
> Section Capture File(s)
> File: define an outputfile
> Select:
> - Use multiple files
> - Next file every 25 megabyte(s)
> - Next file every 1 hour(s)
> Hit Start
>
> TShark
> http://www.wireshark.org/docs/man-pages/tshark.html
> tshark -i 3 -a duration:3600 -a filesize:25000 -a files:3 -w test-a.pcap
WinDump
see the -C and -G flags:
windump -i 3 -C 25 -G 3600 -w test-a.pcap
note that "25" means "25,000,000 bytes", not "26,214,400 bytes"
Your own program
take a look at how tcpdump/WinDump implement -C and -G. -C is implemented by checking the file size with pcap_dump_ftell(); -G is implemented by checking the time before writing each packet (yes, that means that if no packets arrive during an entire -G time period, you will *NOT* get an empty file for that period).
More information about the Winpcap-users
mailing list