Tech Tip: How to Schedule Automatic Packet Captures Using tshark

Document created by ScottOrzechowski Employee on Nov 17, 2015Last modified by ScottOrzechowski Employee on Nov 23, 2015
Version 2Show Document
  • View in full screen mode

Tech Tip:  How to Schedule Automatic Packet Captures Using tshark


CA Tech Tip by Scott Orzechowski, Principal Spectrum Support Engineer for Wednesday, April 09, 2014


Use Case:

Sometimes issues arise on the network at predictable times of the day when no one is available to troubleshoot them.  It’s useful to be able to schedule automatic data collection for later analysis.  This Tech Tip explains how to use Wireshark’s® tshark to schedule a packet capture for a set duration from the command line.


If you anticipate that something will happen at a certain time of day, you can schedule a packet capture using the tshark executable in the Wireshark®installation directory.  The command line to schedule a ten minute capture for packets on interface 2 from or destined for IP would be:


<absolute path>\tshark -i 2 -a duration:7200 -f "host" -w c:\tshoot\1_16.pcap


“i 2” means interface 2.     Run “tshark –D” to see a list of the indexed interfaces available for capture.

7200 is the number of seconds to run the trace

-w directs the output to a file at the path and filename you enter.

You can add filters onto the –f argument.  See tshark.html in the Wireshark® installation directory for help.


On Windows, you can put this in a file with a .bat extension and schedule it in the Windows Task Scheduler (under Administrative Tools).  It might take several seconds for the Task Scheduler to launch.  Set the task to run with an admin user’s login and password.  Set it to run whether the user is logged in or not.  Run with the highest privileges.  You will create a new trigger that is just the time when you want it to run.  You can test it by running it manually before the scheduled time.  You can export the task to an xml file to for the customer to edit and import.


You can cron the task in Linux and Solaris.  You need to create the output directory first.  The following line in your /etc/crontab will run the capture on April eighth at 11:36 PM:

36 22 08 04 * /usr/sbin/tshark –I 1 -a duration:7200 -f "host" –w /usr/wireshark_output/4_8_14.capture.pcap


Note:     Wireshark® is available under the GNU General Public License version 2.  It is available for download at  CA Technologies Inc does not endorse Wireshark®.


This document was generated from the following discussion: The specified item was not found.