wireshark continous capture on windows - dumpcap

I've noticed Wireshark memory utilization increases when we use the GUI and it crashes eventually when we use it for continuous capture. Therefore better to use the dumpcap utility which comes with wireshark. First find out the interface , using dumpcap -D 
 
C:\Program Files (x86)\Wireshark>dumpcap.exe -D
1. \Device\NPF_{0A4C8668-EAC9-457F-9337-3C4EFCD43AAF} (Ethernet)
2. \Device\NPF_{1F2A8923-0CAD-4160-BBD7-EB11D6B45883} (VirtualBox Host-Only Network)
3. \Device\NPF_{1BB23144-4E34-42D9-92AB-C939B21119A3} (WiFi 2)
4. \Device\NPF_{3C5A536B-5BF8-42AA-A139-32FB360DA95C} (WiFi)
5. \Device\NPF_{A8EF2C83-9A49-4A9E-96E4-2128784ABD6B} (VMware Network Adapter VMnet1)
6. \Device\NPF_{EDB4678A-A120-47A1-A5BF-950A6F1DFA0E} (Local Area Connection 2)
7. \Device\NPF_{F33132F7-A8F9-4E2D-8D35-32A9F662C1C8} (VMware Network Adapter VMnet8)
then start the capture, we can define the parameter which rotate the file ( eg: duration , bytes ) 
 
Output (files):
  -w             name of file to save (def: tempfile)
  -g                       enable group read access on the output file(s)
  -b  ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
example: 
 
C:\Program Files (x86)\Wireshark>dumpcap.exe -i 1 -w H:\cap\log.cap -b duration:60
Capturing on 'Ethernet'
File: H:\cap\log_00001_20140225215710.cap
Packets: 1293 File: H:\cap\log_00002_20140225215810.cap
Packets: 1683 File: H:\cap\log_00003_20140225215910.cap
Packets: 1887

Comments

Post a Comment

Popular posts from this blog

l2tpv3 configuration reference

Image
Reference Comparing , Designing and Deploying VPNs chap - 02 : L2TPv3 is the enhanced version of L2TPv2 protocol. Mikrotik uses L2TPv2 i suppose but it offer another similar tunneling mechanism as EOIP. L2TPv3 in cisco provides Pseudo-wire services to the customer. L2TPv3 only require the IP connectivity between peers but it can transport Ethernet, 802.1Q , HDLC, PPP framerelay etc. Advantage over MPLS is the customer having the full control of their routing domain. L2TP depolyment methods having 3 topologies LAC - LNS , LNS - LNS , LAC - LAC Following Diagram explain simple LAC - LAC L2TPv3 setup. It uses two types of messages: control connection messages - used for signaling between LCEs session data messages - Used to transport layer 2 protocols and connections Data channel Message Header having Session ID & cookie to correctly associate with the tunnel Deploying dynamic Pseudowires session 1) configure CEF - Its default in IOSs now. 2) configure a loopback in
Read more

mikrotik queue tree - Per connection queuing.

Image
One of the cool feature on Mikrotik queuing is Per Connection Queuing . we can equally distribute the bandwidth among Number of users.[1] This setup explores the per connection queuing in the congestion situation and how to utilize the priority queuing features. [Please note Mikrotik Queue lowest priority value have highest priority eg: queue priority 7 traffic gets highest preference over queue priority 8  ] In this test setup 192.168.92.50 and 51 given 512Kbps per connection queuing(PCQ) Priority 6 . 192.168.52 and 54 placed under 256Kbps PCQ (Priority 8) and further youtube users given 384Kbps irrespective to the queue they are currently placed ( FIFO) . 1) Bridge setup - " Don't forget to enable the bridge firewall :) " /interface bridge add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes comment="" disabled=no forward-delay=15s l2mtu=1522 \ max-message-age=20s mtu=1500 name=br_traffic_shaper priority=0x8000 protocol-mode=none
Read more

Decoding BGP Notification Error

Following Log messages are normal in the IX scenario but decode the error message is quite interesting: We will see why this error message popped up : : %BGP-3-NOTIFICATION: sent to neighbor 10.10.194.236 2/7 (unsupported/disjoint capability) 0 bytes  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 0039 0104 xx0D 00B4 C06A 1102 1C02 0601 0400 0200 0102 0280 0002 0202 0002 0246 0002 0641 0400 00C4 0D its a raw hex out  of the BGP open message and starts from the marker  16byte FF so the actual output starts from 0039  2 byte length value : 00 39 - 57 1 byte Type : 01 open message 1 byte Version : 04 2 byte ASN : xx0D  [ modified to remove the relevant information ] 2 byte holdtime : 00 B4 - 180 Seconds 4 byte BGP identifier : C06A 1102 [ modified ] 1 byte Optional parameter length : 1C   - 28 bytes Refer RFC: http://tools.ietf.org/html/rfc5492 http://tools.ietf.org/html/draft-ietf-idr-ext-opt-param-02 http://www.iana.org/assignments/capability-codes/capability-c
Read more