FAQ: How can I create long term Wireshark sniffs?

FAQ: How can I create long term Wireshark sniffs?

In this example it will be used OPC UA protocol as example to show how to use and configure a long term Wireshark captures. This is the best option when troubleshooting a connectivity/network issue occurring sporadically and it is not possible to establish the time of a specific event(s) under investigation.

The configuration presented below also prevents host Operating System and Computer from running out of resources (e.g., CPU and memory) as in this mode the list of packets are not shown and updated in real-time during the capture in Wireshark user interface but written to a collection of files (ring-buffer). Also the packets collected are explicitly set in the Capture filter preventing the capture from growing very quickly and widening its time frame - also other communications are not captured keeping those private during analysis.
  1. Start Wireshark and open Options dialog.
  2. In Input tab, select the network adapter used to communicate with the target OPC UA Client.
  3. In Input tab, add the capture filter: 'tcp port 4810'. ( = Listening TCP port of the OPC UA Server running in the local machine).


  4. In Output tab enter the following configuration (or similar):


  5. In Options tab, make sure "Update list of packets in real-time" is disabled. Note: This is very important to prevent memory and CPU continuous increase when collecting the protocol sniff.


  6. Press Start button to start the capture and leave Wireshark running.
  7. Stop the capture when you finish the long-term sniff. Collect the files generated during the time the capture was running.
If you have any question, doubt or suggestion about this FAQ please contact your local COPA-DATA Representative.