Wireshark Re-occuring Capture

Wireshark Re-occuring Capture

1)            navigate to Wireshark folder, usually under c:\program files\Wireshark

2)            at c:\program files\Wireshark\ type and run "tshark -D" (make sure D is caps) displays interfaces on the system, choose interface to capture from 1,2,3,4 etc.

3)            at c:\program files\Wireshark\ type and run "dumpcap -i 1 -b files:20 -b filesize:20000 -w sipcapture.pcap (IMPORTANT: if capturing on an NEC system, set filesize to 20000, they will only accept 20 meg captures)

4)            this will run packet capture on interface 1 with the "ring buffer" active, uses 20 files each at 20 mb, and it names the captures sipcapturedate&time.pcap.

5)            ring buffer means that at the 20th file it will then go back to file 1 and start rewriting, making sure hard drive does not fill up.

6)            the files will be located under c:\program files\Wireshark

7)            for more explanation on the command switches go to http://www.wireshark.org/docs/man-r\pages/dumpcap.html

dumpcap -i 1 -b files:20 -b filesize:20000 -w sipcapture.pcap