Ring Buffer With Tshark

Posted December 14th, 2011 in Bread-crumbs and tagged , by admin

Using a ring buffer with tshark

You can use a ring buffer with tshark to overwrite files by time, size, or both. So to capture on interface ath0, disable name resolution, start a new file when the previous reaches 250k, capture up to three files with the prefix wifi-cap_NNN_<dstamp>”, capture only traffic with DST or SRC set to xx:xx:xx:xx:xx:xx you can enter:

#tshark -n -i ath0 -a filesize:250 -b files:3 -w wifi-cap -R "wlan.addr eq xx:xx:xx:xx:xx:xx"

 

Comments are closed.