Wireshark-dev: Re: [Wireshark-dev] proto.h extension
From: "Turney, Cal" <cal.turney@xxxxxxx>
Date: Fri, 8 May 2015 20:22:34 +0000
> On Thu, 7 May 2015 John Dill <John.Dill@...> wrote:
> 
> > On a unrelated note, is there some way to begin a capture in wireshark
> > (or
> one of its tools) when a packet
> > matches a filter expression?  For example, I have a specific packet
> > that
> triggers some process on the
> > system, and I want to capture for the next 2 minutes and then stop.

On Thu, 7 May 2015 Christopher Maynard <Christopher.Maynard@xxxxxxx> wrote:
> 
> This is not directly possible, no.  However, you can script something
> together to make this work by utilizing 2 instances of dumpcap, for
> example.
>  The first instance would wait for the capture event of interest, then
> terminate, which would allow the second instance to be started up with the
> capture settings you desire (e.g., capturing for 2 minutes, etc.).
> 
> If you're running on Windows, I wrote a dumpcap.bat batch file to help
> with this, which I originally announced on 31 May 2014 here:
> https://www.wireshark.org/lists/wireshark-users/201405/msg00030.html.  It
> supports 4 modes of operation (including triggered captures), supports e-
> mail notification of the event with the help of mailsend, and has hooks
> for user-defined actions.  The latest published version of the batch file
> is currently available under the Scripts section of
> https://wiki.wireshark.org/Tools.  It is mostly self-documented, but you
> can read more about it from the link above or from some questions on
> ask.wireshark.org where I thought the batch file might possibly come in
> handy for other folks:
> 
> 1)
> https://ask.wireshark.org/questions/39456/is-there-a-way-to-stop-capture-
> upon-http-error-404
> 2) https://ask.wireshark.org/questions/40888/custom-stop-recording-trigger
> 3) https://ask.wireshark.org/questions/26434/sound-alert
> 
> - Chris
> P.S. Keep in mind that trigger mode might not be good enough though, as
> capturing won't start until AFTER the event occurs.  If you want to be
> sure you capture from the event onwards, you might want to run the batch
> file in "Dumpcap+Event" Mode and use a ring buffer to do continuous
> capturing until the event occurs and then just set the "Event kills
> dumpcap?" option to "Y"
> along with "Delay before kill/action" to 120 seconds in your case.
>
Here's an approach that would show the transition from working to failing with prior and subsequent traffic. Use Wireshark's "Use multiple files" feature, or tshark's equivalent feature. Specify the number and size of captures ("splits") to obtain the transition from working to failure without being overwritten. Have the user run a script with the following arguments:

* The PID of the Wireshark or tshark process
* How the event should be triggered: 
  (a) monitor a specified log file for a specified error message or text
or 
  (b) run tshark with a specified filter against the latest *complete* split
      With its output redirected to a file which is checked for a non-zero
      size or message.
      Example: Filter for a STATUS_FILE_LOCK_CONFLICT error:
      tshark -n -R "smb.nt_status == 0xc0000054" -r smb2_locking_andx.cap > <date-time>.txt
  If the event occurs, the script should terminate Wireshark or tshark.
* [Optional] Specify the number of splits to retain prior to and/or following
  the event. Delete the rest.
* The interval at which the log file or tshark output file should be checked
* How the user is to be notified: email, SNMP trap, a popup with sound,
  or a building-wide an air raid siren. The notification should include 
  the name of the split containing the event its frame number. 
* [Optional] gzip *each* split, FTP them to a specified address, email a
  person, internal/external support group, or both indicating that the
  splits are available for analysis, and, if multiple splits are retained,
  the name of the split contaning the event and its frame number.  

I wish I had the time to work on this but I've been assigned >2 years of development projects. Perhaps someone else would be interested. I vote for Chris. =)

-- Cal