Automate File Rotation in Tshark

Introduction

In this lab, you will learn to automate file rotation in Tshark using Wireshark's dumpcap utility for efficient packet capture management. You'll configure both size-based rotation (1MB limit with -b filesize:1000) and count-based rotation (5 file limit with -b files:5) to optimize disk space during network analysis.

The lab guides you through capturing traffic on the eth1 interface with rotation parameters, then verifying the output files. These techniques help maintain organized packet captures while preventing storage overload during extended monitoring sessions.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/interface("Interface Overview") wireshark/WiresharkGroup -.-> wireshark/packet_capture("Packet Capture") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/interface -.-> lab-548915{{"Automate File Rotation in Tshark"}} wireshark/packet_capture -.-> lab-548915{{"Automate File Rotation in Tshark"}} wireshark/commandline_usage -.-> lab-548915{{"Automate File Rotation in Tshark"}} end

Set 1MB File Size with -b filesize:1000

In this step, you'll configure Wireshark's packet capture utility dumpcap to automatically create new files when the capture reaches 1MB in size. This technique is called file rotation and helps manage disk space by preventing single capture files from becoming too large.

The -b filesize: parameter controls this behavior by specifying the maximum file size in kilobytes (KB). Since 1000KB equals approximately 1MB, this setting will create a new file each time the current capture reaches that size. This is particularly useful for long-running captures where you want to maintain manageable file sizes.

Let's walk through the setup process step by step:

First, open a terminal in your LabEx virtual machine if you haven't already done so. The terminal is where we'll execute all our commands.
Before starting the capture, we need to ensure we're in the correct working directory. Run this command to navigate to the project folder:
```
cd ~/project
```
Now we'll start the packet capture with our size limit. Execute this command in your terminal:
```
sudo dumpcap -i eth1 -b filesize:1000 -w capture.pcapng
```
Let's break down what each part of this command does:
- sudo gives us administrative privileges needed for packet capture
- dumpcap is Wireshark's command-line capture tool
- -i eth1 tells dumpcap to listen on the eth1 network interface
- -b filesize:1000 sets our 1MB rotation threshold
- -w capture.pcapng specifies the base filename for our output

The capture will run continuously in your terminal. When it collects about 1MB of data, you'll notice the system automatically creates a new file with an incrementing number (like capture_00001.pcapng) while keeping the original capture.pcapng as the active file. This rotation happens seamlessly in the background.

Limit to 5 Files with -b files:5

In this step, we'll explore how to control the number of packet capture files created by Wireshark's dumpcap utility. When capturing network traffic for extended periods, it's important to manage storage space by limiting both file sizes and total file count.

The -b files: parameter lets you set a maximum number of rotated capture files. When combined with -b filesize from our previous lesson, this creates an efficient rotation system where:

New files are created when the current file reaches size limit
Only the specified number of files are kept
The oldest file gets overwritten when the limit is reached

Let's implement this with a practical example limiting to 5 files:

First, if you have any ongoing capture from earlier exercises, stop it by pressing Ctrl+C in your terminal window. This ensures we start fresh.
Navigate to our working directory where we'll store the capture files. Run:
```
cd ~/project
```
Now execute the capture command with both size and count limits:
```
sudo dumpcap -i eth1 -b filesize:1000 -b files:5 -w capture.pcapng
```
Breaking down the command:
- -i eth1 captures from your primary network interface
- -b filesize:1000 limits each file to 1000 kilobytes (1MB)
- -b files:5 maintains exactly 5 rotating files
- -w capture.pcapng sets the base filename pattern

As the capture runs, you'll see files named capture_00001.pcapng, capture_00002.pcapng, etc. The system will automatically manage these files, keeping only the 5 most recent ones and recycling storage space efficiently.

Start Capture with -i eth1

In this step, you'll begin capturing network traffic on the eth1 interface using Wireshark's dumpcap tool. This is where practical network analysis starts - by gathering real packet data from your network connection.

The -i eth1 portion tells dumpcap which network interface to monitor. On most Linux systems, eth1 represents your primary wired Ethernet connection. Think of it like choosing which microphone to use when recording sound - here we're selecting which network "ear" to listen through. We'll combine this with the file rotation settings you learned earlier to create a complete, automated capture solution.

Let's walk through the process step by step:

First, navigate to your working directory. This ensures all captured files will be saved in the correct location:
```
cd ~/project
```
Now execute the capture command. This does several things at once:
- -i eth1 monitors the eth1 interface
- -b filesize:1000 limits each capture file to 1000 kilobytes
- -b files:5 keeps a maximum of 5 rotating files
- -w capture.pcapng sets the base filename for output
```
sudo dumpcap -i eth1 -b filesize:1000 -b files:5 -w capture.pcapng
```
When successful, you'll see live statistics showing:
- Current capture file name
- Number of packets captured
- Any packets that might have been missed
```
File: capture_00001.pcapng
Packets captured: 42
Packets received/dropped on interface eth1: 42/0 (100.0%)
```

The capture will run continuously until you stop it with Ctrl+C. During this time, it will automatically manage the file rotation according to your settings, creating new files when they reach the size limit while maintaining exactly 5 files at all times.

Check Files with ls/dir

In this step, you will verify the packet capture files created by Wireshark's dumpcap utility. This verification process is crucial because it allows you to confirm two important aspects of your network capture setup: that the file rotation is working as configured, and that the capture files are being properly saved.

When working with Tshark's file rotation feature, the ls command (or dir on Windows) becomes your primary tool for inspecting the output. This command lists directory contents in Linux/Unix systems, and we'll use it specifically to examine the capture files in your project directory.

You'll be checking three key characteristics of your capture files:

Existence: Verify that capture files are actually being created
Size: Confirm files are approximately 1MB each (as specified in step 1 with the -b filesize flag)
Quantity: Ensure no more than 5 files exist (as limited in step 2 with the -b files parameter)

Here's how to properly inspect your capture files:

First, you need to stop any currently running capture process. In your terminal where Tshark is running, press Ctrl+C to gracefully stop the capture. This ensures no files are being actively written to during inspection.
Now, list all capture files in your project directory with detailed information. The -lh flags give you a human-readable format with file sizes in MB/GB:
```
ls -lh ~/project/capture*.pcapng
```

You should see output similar to this, showing multiple properly sized capture files:

-rw-r--r-- 1 root root 1.0M Mar 1 10:15 capture_00001.pcapng
-rw-r--r-- 1 root root 1.0M Mar 1 10:16 capture_00002.pcapng
-rw-r--r-- 1 root root 1.0M Mar 1 10:17 capture_00003.pcapng

Finally, to verify the file count limit is working, run this command to count your capture files. The -1 flag puts each file on its own line, and wc -l counts those lines:
```
ls -1 ~/project/capture*.pcapng | wc -l
```
The output should be 5 or less, confirming the file rotation is properly limiting the number of kept files.

Summary

In this lab, you have learned to automate file rotation in Tshark using Wireshark's dumpcap utility. The key techniques included setting file size limits with -b filesize:1000 and controlling file count with -b files:5 to optimize storage management.

The hands-on practice demonstrated how to implement these parameters with interface selection (-i eth1) and output specification (-w), followed by verification steps. This method ensures efficient packet capture while maintaining organized file rotation and storage control.