On Thu, Nov 13, 2008 at 11:07:26AM -0500, Terry Martin wrote:
> I am setting up Tshark to continuously collected information on a network
> connection
If you want to capture continuously, dumpcap is a better choice as it
does not keep state of the packets it captures, it just writes them to
disk.
> and store the information into a file very 15 minutes with the
> name of the file being mm_dd_hh_mm.
With the -b duration:900 -w dump.cap, dumpcap would use a serial number
as well as a datetime string in the filename. It writes files like this:
Packets: 58 File: dump_00002_20081113174508.cap
Packets: 85 File: dump_00003_20081113174532.cap
Packets: 306 File: dump_00004_20081113174537.cap
(note that it does not create a new file when there were no packets
after switching to the next file)
Would that do?
> I want this collection to only save
> the header information
What do you mean by "header"? Just the ip-header? If so, you can use the
snaplength option to cut off after 14 (eth) + 20 (ip) = 34 octets
(assuming no extra IP options are used):
dumpcap -s 34
> from all IP multicast traffic
Would that be a capture filter like "net 224.0.0.0 mask 224.0.0.0"
> Is there a way I can setup Tshark to collect this information? Can anyone
> give me any ideas how to set this up?
In short:
dumpcap -w dump.cap -i <int> -b duration:900 -s 34 "net 224.0.0.0 mask 224.0.0.0"
Hope this helps,
Cheers,
Sake
