search cancel

Rolling Captures with Wireshark

book

Article ID: 175855

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

There is a need to obtain a packet capture of an issue that occurs intermittently or is otherwise not easily recreated.

Resolution

Make use of Wireshark's rolling captures. This will create multiple packet capture files of the consecutive events separated by a defined interval of time, file size, and/or a certain number of packets. Follow these steps to make use of this function in Wireshark.

  1. Prepare the needed conditions to recreate the behavior of the issue in question.
  2. Open Wireshark.
  3. Select Capture, then Options.

  4. In the Input tab, select the interface(s) from which to capture packets so that they are highlighted.
  5. Select the Output tab, and check the "Create a new file automatically after..." checkbox.
  6. Define the interval for by checking checkbox for time, file size, and/or a cert ian number of packets and specify parameters accordingly.


     
  7. Select Start.
  8. Recreate the behavior or issue needed.
  9. Stop the capture.
    • It is good practice to allow a little bit of time to pass (1 minute or so) after the issue is observed unless the support engineer directs otherwise.
  10. Upload the corresponding file(s) to the support case.
    • Upload only the file(s) that contain the packets corresponding to the issue or behavior observed. Ideally, the desired packets captured will all be in a single file. Do NOT upload all of the files that were captured.

Attachments