Wireshark

Wireshark comes with additional tool like dumpcap, tshark, text2pcap, rawshark, mergecap

capture with dumpcap

list all interfaces

dumpcap -D

capture traffic on eth0

Assuming the eth0 interface is listed as 1 and writing to file ethcapture.pcapng

dumpcap -i 1 -w ethcapture.pcapng

ring buffer capture

dumpcap -i 1 -b filesize:100000 -b files:5 -w ethcapture.pcapng

info

-i 1
selecting interface associated to 1
-b filesize:100000
filesize options accepts value in kilo bytes. Hence 100000 creates each file size limit of 100MB

-b files:5
creates max of 5 files each of 100MB and rewrites them like a ring buffer in the sequence of time stamp

capture with dumpcap​

list all interfaces​

capture traffic on eth0​

ring buffer capture​

capture with dumpcap

list all interfaces

capture traffic on eth0

ring buffer capture