Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

UC Troubleshooting with Wireshark (a method to obtain packet capture over long periods)

One of the effective methods for troubleshooting network is to capture packets flowing through a network and to analyze them.

If the timing for a method to reproduce failure is known beforehand, a packet capture can be obtained easily.

However, a problem can often occur less frequently or irregularly.

To perform forensics on these problems, the packet capture needs to be continuously obtained over a long period of time.

Here we will explain how to obtain the packet capture over a long period of time with Wireshark.


A method to obtain packet capture over a long period of time

Configure the setting to write the data directly on the disk to obtain capture over a long period of time with Wireshark.

In consideration of the performance of the PC that performs analytical processing, the file to be written will be divided into multiple files (Use multiple files).

The following setting is an example for dividing the captured file by 20 megabytes (Next file every).

The ring buffer setting (Ring Buffer with) is set to 50 files as the capacity of the hard disk of the PC that implements capturing is limited.

In this case, files are saved from file 1, file 2 ... to file 50, at which point it goes back to file 1 to save.

Select "Capture > Options" from the menu bar.


Packet capturing is initiated using the above settings. Multiple capture files are generated in the designated directory.

A handling method for split capture file

Wireshark recognizes the captured data as "File Set" if the collected file is opened by the PC for analysis.


Multiple files may be used for details of Call (such as signaling, RTP) when analyzing the captured file.

If you want to perform analytical processing as one file, files need to be merged.

In the following example, divided capture files are merged into one file by the command (mergecap.exe) attached to Wireshark.

(Format of the mergecap command: mergecap.exe Ingress file name 1 Ingress file name 2 -w Egress (merge) file name)

The merged file is read into Wireshark again to perform analytical processing, such as signaling and RTP.