windows in the capture command, and save multiple files method

Others 2019-10-23 14:55:36 views: null

This paper describes the windows in the capture command, and save multiple files method

Talk about saving multiple files to store data packets of the origin of the problem, in general, if a long time packet capture, it may need to wait a few hours, because this time the capture of the content is stored in memory, a few hours packets, particularly if related to the audio and video data packets is large, the size of a few hours may reach several G, in this case cause a memory overflow, the program directly abnormal. This time we need to consider the use of automatic file storage task package.

(A) using the graphical interface capture wireshark


After some settings can be made on the wireshark capture process interface on again, this time to wireshark will automatically save each file in accordance with section we specify the file name plus the number and time, the specific process is as follows:

Select Capture-Interfaces ... Open the Network Interface dialog

 

Select the network device you want to capture, click the Options button in the back of the entry

 

 In this dialog box you can set to use multiple files to store captured data, wireshark automatically assigned file names for each segment according to our specified file name, the name is "The specified file name _ Number _ the date and time. Extension ", and the box may be provided in various conditions file section, and stopping capture conditions, very flexible.

In this way, setting multiple file save data is very convenient, but there is a question as follows:

 After a long Ethereal found to have multiple "Closing file!" Dialog box in the taskbar on top of each box will be more of a wireshark icon, the longer the capture, the more segmented the file dialog the more, will eventually fill the entire taskbar. Right-closed and only wireshark on the taskbar icon with the mouse. By google search found this to be a bug wireshark, there is no good solution. It is recommended to use the command line for a long time packet capture.

(B) the command packet capture

After wireshark installed in its installation directory will have a dumpcap.exe command-line tool, in fact wireshark interface program also use this command-line tools work, we may not need to use interface, and direct the use of the command-line tool capture work performed, the command is as follows:

 

 The meaning of the command are explained as follows:
dumpcap.exe -i \ Device \ {845F9D1E NPF_-8F0B-4991-9F9A-C55D107A046B} -WD: \ 000 \ -b ddd.pcap filesize: 50000

dumpcap.exe mounted on the root directory wrieshark can be seen, where:

-i represents the specified capture card device, designated here is to identify card device, is a string, can be viewed in wireshark interface program, as follows:

 

 -w indicate the path and file name to save, save the file if it is divided, it will automatically named ddd_00001_20151221213115.pcap form, that is, "filename_ number _ time extension."

-b filesize: N represents the size of each file is specified NKB, represented as 50000 50000 KB, i.e. 50M.

By command line capture long-running without any problems, it is recommended to use this way.

(three)

By way dumpcap.exe capture command line, you can solve the problem raised by the beginning of the article, but dumpcap.exe the tool only after you install wireshark will have to run the installation program is also dependent wireshark other dll directory, If you do not want to install wireshark so complicated, you can choose to use the windows version of tcpdump, a exe program is not only dependent on the other, is not part of tcpdump.exe wireshark, you need to download separately.

By tcpdump -D command can list a list of all network devices, network device identification note the list of device identification with our copy of the device properties wireshark's a little different, copies of wireshark in the device identification has NPF_ prefix because wireshark installed the NPF drive, which is not the same, so wireshark's command-line tool dumpcap.exe use whichever network device identification to wireshark view, and tcpdump.exe here is used to identify network devices tcpdump -D command lists the subject.

Each of the latter we can draw a list of network devices through tcpdump -D description information, the description of our current network connection using the comparison can be drawn we need to capture the corresponding network connection device identification.

Command Description:
tcpdump.exe -i \ Device \-AC8F {89,515,393} -w-4D23-9A03 AF35F9950E72-E: \ 000 \ 2 -C test.pcap
    
identification -i specifies captured network device.
-w Specifies the saved file, if the segment is automatically saved as test.pcap, test.pcap1, test.pcap2, these files can be dragged directly wireshark open.
-C Note that the uppercase file size of each segment, the unit is M, where 2M -C 2 represents a file.

Guess you like

Origin www.cnblogs.com/ray-bk/p/11725909.html
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com