Hello,

anyone has an idea how to, maybe with some scripting, to let sniffer run and write the captured traffic into multiple files? I'm looking for away to do a tcpdump like packet capturing on RouterOS. I wonder if a script can periodic check the filesize and rename / copy the sofar captured data into a new file with current timestamp or similar, without loosing to much packets during the saving to file / splitting files process. Stopping the sniffer, copy the file to a different folder and renaming it, then restarting the sniffer will probably take too long. Or is there a different way how it can be done?

IIRC i can not modify a running sniffer process to rename the capture file or am i wrong?

Especially for debugging voice traffic it is important for me to capture the traffic unattended without loosing to much packets when the files are going to be splitted once the max filessize has been reached.

Regards,

EntireNet

AFAIK WireShark does it automatically and you decide what is the size of logged data file.

Well, Wireshark is used to view the captured traffic afterwards, or i can stream it there even but i'm going to save the captured data on an SD card and will download the captured data at off peak time when more bandwidth is available.

It works already fine with one file but e.g. like once 50 MB in data got captured, i want to capture the next bytes in another file. So in the end i can access up to 1 GB of data in 50 MB splitted files. Thats the goal.

Regards,

EntireNet

Have you read this: https://www.wireshark.org/docs/wsug_htm ... Files.html
It is the third answer to http://bfy.tw/HYBm

Well, the issue here is the files have to be captured before Wireshark is used.

My question is about how to make a RouterOD box capturing traffic and saving it in 50 MB chunks while continuously capturing traffic. So Wireshark ist the issue. The issue is that RouterOS will stop capturing once the configured filesize is reached. And i want to keep it capturing.

Regards,

EntireNet

I think the point the previous posters are trying to make is you can stream it to Wireshark (or tcpdump) and have Wireshark save the files and split the captures for you while it is capturing. That's how I would do it. AFAIK RouterOS does not do what you're wanting.

The easiest way is to do port mirroring and send all traffic to be captured to selected port where proper hardware could be used to store incoming data.

The easiest way is to do port mirroring and send all traffic to be captured to selected port where proper hardware could be used to store incoming data.

Yes, port mirroring to an external device (running wire shark) is the proper method. Beat me to it.

Sent from my Pixel XL using Tapatalk

I do not know if is possible with the new version but that is exactly what i need either.