wireshark continous capture on windows - dumpcap

I've noticed Wireshark memory utilization increases when we use the GUI and it crashes eventually when we use it for continuous capture. Therefore better to use the dumpcap utility which comes with wireshark. First find out the interface , using dumpcap -D 
 
C:\Program Files (x86)\Wireshark>dumpcap.exe -D
1. \Device\NPF_{0A4C8668-EAC9-457F-9337-3C4EFCD43AAF} (Ethernet)
2. \Device\NPF_{1F2A8923-0CAD-4160-BBD7-EB11D6B45883} (VirtualBox Host-Only Network)
3. \Device\NPF_{1BB23144-4E34-42D9-92AB-C939B21119A3} (WiFi 2)
4. \Device\NPF_{3C5A536B-5BF8-42AA-A139-32FB360DA95C} (WiFi)
5. \Device\NPF_{A8EF2C83-9A49-4A9E-96E4-2128784ABD6B} (VMware Network Adapter VMnet1)
6. \Device\NPF_{EDB4678A-A120-47A1-A5BF-950A6F1DFA0E} (Local Area Connection 2)
7. \Device\NPF_{F33132F7-A8F9-4E2D-8D35-32A9F662C1C8} (VMware Network Adapter VMnet8)
then start the capture, we can define the parameter which rotate the file ( eg: duration , bytes ) 
 
Output (files):
  -w             name of file to save (def: tempfile)
  -g                       enable group read access on the output file(s)
  -b  ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
example: 
 
C:\Program Files (x86)\Wireshark>dumpcap.exe -i 1 -w H:\cap\log.cap -b duration:60
Capturing on 'Ethernet'
File: H:\cap\log_00001_20140225215710.cap
Packets: 1293 File: H:\cap\log_00002_20140225215810.cap
Packets: 1683 File: H:\cap\log_00003_20140225215910.cap
Packets: 1887

Comments

Post a Comment

Popular posts from this blog

PPTP Server as Cisco for Mikrotik Client

Image
Following configuration explains the Cisco as PPTP server and connecting two sites: Following Configuration needed to enable the VPDN and default server: vpdn enable ! vpdn-group Mtik ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool IPPOOL1 ppp encrypt mppe auto required ppp authentication ms-chap-v2 ms-chap pap ip local pool IPPOOL1 192.168.150.10 192.168.150.224 Few more additional things we need to keep the same ip address for the user: aaa new-model ! ! aaa authentication ppp default local aaa authorization network default local ! aaa attribute list Gobi attribute type addr 192.168.150.13 service ppp protocol ip mandatory attribute type route "10.0.0.0 255.255.255.0 192.168.150.13" attribute type interface-config "description Gobi-test" Finally apply the attribute list to the user: username gobi password 0 test username gobi aaa attri...
Read more

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in...
Read more

proxy arp

Image
In the above diagram , both hosts don't have default routes. But both are in the same /16 subnet. When host1 tries to ping host2 will it be able to ping ? Yes this behaviour due to the Proxy Arp feature. Note: Cisco by default enabled the proxy arp feature you have to disable it manually . Check the following Debug messages "debug arp" from the router. When the Arp request for 192.168.20.101 received on the router Fa0/1 it replies with its own mac address of fa0/1. (c200.03fc.0001)and vice versa *Mar 1 00:11:43.071: IP ARP: rcvd req src 192.168.12.154 00aa.00f4.6800, dst 192.168.20.101 FastEthernet0/1 *Mar 1 00:11:43.075: IP ARP: sent rep src 192.168.20.101 c200.03fc.0001,dst 192.168.12.154 00aa.00f4.6800 FastEthernet0/1 *Mar 1 00:13:13.067: IP ARP: rcvd req src 192.168.20.101 00aa.0041.1d00, dst 192.168.12.154 FastEthernet0/0 *Mar 1 00:13:13.067: IP ARP: sent rep src 192.168.12.154 c200.03fc.0000, dst 192.168.20.101 00aa.0041.1d00 FastEther...
Read more