users.
I want to capture traffic on port 5060 for one week in a file, than wants wireshark to rotate file and start capturing for next week with a different file name.
I know little about tshark, dumpcap but wants to know, what is more effective way to achieve this and how. As file will contain data of almost one week.
Any suggestions would be much appreciated.
Thanks.
You can use a ringbuffer:
tshark -i 1 -f "port 5060" -a files:n -b duration:604800 -w week.pcap
-a files:n
Stop capturing after n files
-b duration:604800
Switch to the next file after 604800 seconds
-w week.pcap
The names of the output files will look like:
week_00001_20150403194709.pcap
week_00002_20150403194739.pcap
week_00003_20150403194809.pcap
week_00004_20150403194839.pcap