I know that with tshark we can preset an autostop parameter (a duration or number of captured packets). However, if our target capture is quite dynamic, is there a way to nicely and explicitly stop the capture? We can kill the process but many times the capture buffer couldn't be correctly flushed into a file before it's killed.
Is it possible to do sth like:
tshrk -start XXXXX
............
............
tshark -stop XXXX
I understand there must be good reason why tshark didn't have that option. But is it possible? Can we get something working similar to that?
We like to use it on both windows and linux.
Many thanks,
Joshua
