April 21, 2018

How to configure a Rotating, long term packet capture using Wireshark.

(Last Updated On: 17th November 2017)

Introduction

Wireshark is an awesome tool for troubleshooting network traffic. Although the Wireshark GUI is not designed for long term packet captures and left running would simply fill the hard drive of the server/pc running the program. Within Wireshark there is a tiny built in Windows command line tool called ‘dumpcap’ which at less than one tenth the size of the tcpdump utility can be used to perform packet captures (in theory) indefinitely. And using it is incredibly simple.

How to configure dumpcap

Install Wireshark

  • First install Wireshark onto the test Server or PC. The latest version can be found on the Wireshark website > https://www.wireshark.org/.
  • Once installed take note of the location in which the program is installed. In my case it installed in the ‘Program Files (x86)’ folder.
  • Next, open ‘Command Prompt’ from the ‘Start Menu’, however right click on the icon and ‘Run as administrator’.

You will then need to confirm the directory location of your Wireshark program, in this case the program was installed in my x86 Programs folder:

C:\Windows\system32>cd C:\Program Files (x86)\Wireshark

Identify Capture Interface

At this stage you will need to know which interface on which to capture the traffic you want. In this case I need to capture on my main ‘Ethernet’ adapter. So to see the available interfaces run the following ‘tshark’ command:

C:\Program Files (x86)\Wireshark>tshark -D

And you will then see a similar output as below:

\Device\NPF_{C5C36F6C-6B8F-47E7-B199-A7CDE5E9DE00} (VMware Network Adapter VMnet2)
\Device\NPF_{6E2C4778-E750-47B0-B3E5-328722911E2A} (VMware Network Adapter VMnet6)
\Device\NPF_{7A066AFA-122E-4E92-9CD9-9622B71D25D2} (VMware Network Adapter VMnet4)
\Device\NPF_{8D2FF32D-9C29-42F2-8109-B77406701398} (VirtualBox Host-Only Netw
ork)
\Device\NPF_{B9E5EB96-B952-49E1-8286-1F52B3D3A18D} (Local Area Connection 2)
\Device\NPF_{43A5CB0B-095D-4633-9497-8FD7B0BC1650} (Ethernet)
\Device\NPF_{93C2BF1D-ED48-4497-BF09-1E9B7542103A} (Local Area Connection)
\Device\NPF_{F667CDD7-E5E3-47E1-BE80-F8AAE26BC42D} (VirtualBox Host-Only Netw
ork #2)
\Device\NPF_{7497D22F-97BE-473F-AE54-374E8376CC6E} (VMware Network Adapter VMnet1)
\Device\NPF_{92329FD9-2D5D-436D-8227-456F5B52E8C5} (VMware Network Adapter VMnet8)

In the above output you can see that the ‘Ethernet’ interface is assigned the number 6.

Configure dumpcap

The required syntax of the dumpcap is shown below:

dumpcap -i <interface> -b filesize:32768 -b files:128 -w <file.cap>

Broken down it reads as follows:

  • dumpcap = run the program
  • -i <interface> = on interface X
  • -b filesize:32768 = limit each file to a size of 32768 KB
  • -b files:128 = limit capture to 128 files
  • -w <examplefile.pcap> = save to a file starting with the phrase ‘examplefile’ as a .pcap (the filename will also contain the date)

As such working example would be:

C:\Program Files (x86)\Wireshark>dumpcap -i 6 -b filesize:32768 -b files:128 -w EmailCapture.pcap

This would limit the overall capture size to 4GB (128 files of 32MB). Thus each time a .pcap file reaches 32768 KB it will start a new .pcap file. When 128 file have been generated the process will start again and overwrite the first file.

Save location

Each of the .pcap files are stored within the ‘C:\Windows\system32>cd C:\Program Files (x86)\Wireshark’ folder.

Simple as that.

Sources

https://osqa-ask.wireshark.org/questions/5838/rolling-capture-for-a-weeks-long-event
https://www.youtube.com/watch?v=bKax-kyGH_k
http://packetlife.net/blog/2011/mar/9/long-term-traffic-capture-wireshark/

Previous «
Next »

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: