SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
Wireshark Captures with Dumpcap
In this video, learn how to use a dumpcap utility that streamlines scheduling of packet captures.
Tony Fortunato
February 23, 2018
1 Min Read
One of the tricky things about troubleshooting with network protocol analysis is getting comfortable with unattended capture when you need to start a capture at a specific time. There are three ways to approach this with Wireshark:
Write a script or macro that will navigate around the screen’s GUI and start/stop the capture.
Use the Tshark Wireshark utility and a scheduling program
Use the dumpcap Wireshark tool and a scheduling program
The problem with the first option is that if anything on the screen is repositioned, the script will fail. There has always been quite a debate over Tshark and dumpcap. I can safely say that when performance is a concern, dumpcap is the clear winner.
This is where DumpcapUI from Douglas A. Dietz comes in. This portable utility allows you to configure some of the more common dumpcap features using a GUI interface and configure a task in your Microsoft Scheduler.
In this video, I show how to get started with DumpcapUI.
I strongly recommend testing your configuration before scheduling or going live with any configuration and to use ring buffers for long-term capture. Also, use file size as your “Next file every” option instead of time. Unless you have a really good grasp of filtering and what traffic to expect, you have no idea how much traffic you will capture within a given time frame. Please see my previous video on large packet capture.
dumpcap.png
About the Author(s)
More Insights
Webinars
How to Amplify DevOps with DevSecOps
May 22, 2024Generative AI: Use Cases and Risks in 2024
May 29, 2024Smart Service Management
June 4, 2024