# Snort or Wireshark logging All network packages.



## Handy92 (May 10, 2017)

Like a tittle. How to logging at the background all network package using Snort or Wireshark from interface to folder (with sappnd flag setting used 'one user console') who will be have 10GB of space and oldest packages will be wemoved for fresh??


----------



## SirDice (May 10, 2017)

From tcpdump(8):

```
-w     Write the raw packets to file rather than parsing  and  printing
              them  out.  They can later be printed with the -r option.  Stan-
              dard output is used if file is ``-''.

              This output will be buffered if written to a file or pipe, so  a
              program reading from the file or pipe may not see packets for an
              arbitrary amount of time after they are received.   Use  the  -U
              flag  to  cause  packets  to  be  written  as  soon  as they are
              received.

              The MIME type application/vnd.tcpdump.pcap has  been  registered
              with  IANA  for pcap files. The filename extension .pcap appears
              to be the most commonly used along with .cap and  .dmp.  Tcpdump
              itself  doesn't  check  the extension when reading capture files
              and doesn't add an extension when writing them  (it  uses  magic
              numbers  in  the  file  header instead). However, many operating
              systems and applications will use the extension if it is present
              and adding one (e.g. .pcap) is recommended.

              See pcap-savefile(5) for a description of the file format.
```


```
-W     Used in conjunction with the -C option, this will limit the num-
              ber of files created to the specified number,  and  begin  over-
              writing  files  from  the  beginning, thus creating a 'rotating'
              buffer.  In addition, it will name the files with enough leading
              0s to support the maximum number of files, allowing them to sort
              correctly.

              Used in conjunction with the -G option, this will limit the num-
              ber  of rotated dump files that get created, exiting with status
              0 when reaching the limit. If used with -C as well, the behavior
              will result in cyclical files per timeslice.
```


```
-G     If specified, rotates the dump file specified with the -w option
              every  rotate_seconds  seconds.   Savefiles  will  have the name
              specified by -w which should include a time format as defined by
              strftime(3).  If no time format is specified, each new file will
              overwrite the previous.

              If used in conjunction with the -C option, filenames  will  take
              the form of `file<count>'.
```


----------



## phoenix (May 11, 2017)

You can also install tshark (the CLI version of Wireshark, basically) if you need something that can run as a daemon via RC scripts.  We use this at work on our wireless networks for troubleshooting.  If you go with tshark, you'll want to use the `-a` and `-b` option to have it write out files of a certain size, and to only write out a specific number of files, and to overwrite the older ones.[/cmd]


----------

