Wednesday, February 26, 2014

wireshark continous capture on windows - dumpcap

I've noticed Wireshark memory utilization increase when we use the GUI and it crashes eventually when we use it for continuous capture. Therefore better to use the dumpcap utility which comes with wireshark. First find out the interface , using dumpcap -D
C:\Program Files (x86)\Wireshark>dumpcap.exe -D
1. \Device\NPF_{0A4C8668-EAC9-457F-9337-3C4EFCD43AAF} (Ethernet)
2. \Device\NPF_{1F2A8923-0CAD-4160-BBD7-EB11D6B45883} (VirtualBox Host-Only Network)
3. \Device\NPF_{1BB23144-4E34-42D9-92AB-C939B21119A3} (WiFi 2)
4. \Device\NPF_{3C5A536B-5BF8-42AA-A139-32FB360DA95C} (WiFi)
5. \Device\NPF_{A8EF2C83-9A49-4A9E-96E4-2128784ABD6B} (VMware Network Adapter VMnet1)
6. \Device\NPF_{EDB4678A-A120-47A1-A5BF-950A6F1DFA0E} (Local Area Connection 2)
7. \Device\NPF_{F33132F7-A8F9-4E2D-8D35-32A9F662C1C8} (VMware Network Adapter VMnet8)
then start the capture, we can define the parameter which rotate the file ( eg: duration , bytes )
Output (files):
  -w             name of file to save (def: tempfile)
  -g                       enable group read access on the output file(s)
  -b  ... duration:NUM - switch to next file after NUM secs
                           filesize:NUM - switch to next file after NUM KB
                              files:NUM - ringbuffer: replace after NUM files
C:\Program Files (x86)\Wireshark>dumpcap.exe -i 1 -w H:\cap\log.cap -b duration:60
Capturing on 'Ethernet'
File: H:\cap\log_00001_20140225215710.cap
Packets: 1293 File: H:\cap\log_00002_20140225215810.cap
Packets: 1683 File: H:\cap\log_00003_20140225215910.cap
Packets: 1887