Long Term packet captures using Wireshark.

Over the years I used wireshark to capture packet traces on windows devices. It did the job and for the most part was an invaluable tool. Until that is, I had the need to capture packets over a period of time. Usually when troubleshooting an intermittent network problem. Just when I needed the tool to work, it had crashed hours, mins or days earlier and no one noticed. This week I had the same need and figured Wireshark had fixed this issue since it had been a year or so since I had needed to do a long term capture. Nope, thanks for letting me down again Wireshark. =)

 

This time I decided to see if there was another way to capture data more reliably. and I stumbled across dumpcap.exe you can find the manual here: https://www.wireshark.org/docs/man-pages/dumpcap.html

I chose to capture a file per hour and rotate over 25 files to give me some history to review when users complain of issues.

Example command here:

Dumpcap –I LAN –b duration:3600 –b files:25 –w y:\captures\packets.cap

The LAN is the name of the interface as reported in Wireshark (on Linux it may be eth0) and the –w specifies the file name, if you specify the number of files, dump cap will add to the filename as it rotates.

This configuration will result in a rolling 25 files that overwrite the oldest one.

You can also specify a libpcap filter to restrict the types of traffic captured by dumpcap. For example, the following command captures only DNS traffic destined to or coming from 208.67.220.220

$ dumpcap -i eth0 -f "host 208.67.220.220 and udp port 53" -w dns.cap

Hopefully this is useful to my readers..

 

Michael

%d bloggers like this: