Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Question

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 13 Nov 2008 17:53:30 +0100
On Thu, Nov 13, 2008 at 11:07:26AM -0500, Terry Martin wrote:
>    I am setting up Tshark to continuously collected information on a network
>    connection 

If you want to capture continuously, dumpcap is a better choice as it
does not keep state of the packets it captures, it just writes them to
disk.

>    and store the information into a file very 15 minutes with the
>    name of the file being mm_dd_hh_mm.

With the -b duration:900 -w dump.cap, dumpcap would use a serial number
as well as a datetime string in the filename. It writes files like this:

Packets: 58 File: dump_00002_20081113174508.cap
Packets: 85 File: dump_00003_20081113174532.cap
Packets: 306 File: dump_00004_20081113174537.cap

(note that it does not create a new file when there were no packets
after switching to the next file)

Would that do?

>    I want this collection to only save
>    the header information

What do you mean by "header"? Just the ip-header? If so, you can use the
snaplength option to cut off after 14 (eth) + 20 (ip) = 34 octets
(assuming no extra IP options are used):

dumpcap -s 34

>    from all IP multicast traffic

Would that be a capture filter like "net 224.0.0.0 mask 224.0.0.0"

>    Is there a way I can setup Tshark to collect this information?  Can anyone
>    give me any ideas how to set this up?

In short:

dumpcap -w dump.cap -i <int> -b duration:900 -s 34 "net 224.0.0.0 mask 224.0.0.0"

Hope this helps,
Cheers,
    Sake