[Winpcap-users] Question about record to multiple files

Tal Attaly tal.attaly at gmail.com
Sun Nov 13 14:28:47 PST 2011 

Hi,

"take a look at how tcpdump/WinDump implement -C and -G.  -C is implemented
by checking the file size with pcap_dump_ftell(); "

and then.. i should stop all the recording and start it mannualy again (and
loose packets) or their is a way to 'split' the recordings file in a
smarter way.

Thanks a lot for the help.


2011/11/2 Guy Harris <guy at alum.mit.edu>

>
> On Nov 2, 2011, at 12:25 PM, j.snelders wrote:
>
> > On Wed, 2 Nov 2011 19:58:23 +0200 Tal Attaly wrote:
> >> Hi,
> >>
> >> How can i make an automatic 'split' of the recorded file, so the
> recording
> >> will be saved in multiple files? (For example- start record to a new
> file
> >> as soon as the current file exceeds 25 MB / 60 minutes past)
> >
> > Wireshark
> > http://www.wireshark.org/docs/wsug_html_chunked/ChCapCaptureOptions.html
> > Go to:
> > Capture | Options
> >
> > Section Capture File(s)
> > File: define an outputfile
> > Select:
> > - Use multiple files
> > - Next file every 25 megabyte(s)
> > - Next file every 1 hour(s)
> > Hit Start
> >
> > TShark
> > http://www.wireshark.org/docs/man-pages/tshark.html
> > tshark -i 3 -a duration:3600 -a filesize:25000 -a files:3 -w test-a.pcap
>
> WinDump
>
>        see the -C and -G flags:
>
>                windump -i 3 -C 25 -G 3600 -w test-a.pcap
>
>        note that "25" means "25,000,000 bytes", not "26,214,400 bytes"
>
> Your own program
>
>        take a look at how tcpdump/WinDump implement -C and -G.  -C is
> implemented by checking the file size with pcap_dump_ftell(); -G is
> implemented by checking the time before writing each packet (yes, that
> means that if no packets arrive during an entire -G time period, you will
> *NOT* get an empty file for that period).
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20111114/020eacd8/attachment.html>

More information about the Winpcap-users mailing list