How to use Wireshark for long duration captures

Owned by Juan A. Sanchez
Last updated: Nov 03, 2022 by Andreas Schick
4 min read

NOTE:  This is provided as a guide only.  Additional setup and testing may be needed before deploy it.

From: https://digitalsupport.ge.com/en_US/Article/How-to-use-Wireshark-for-long-duration-captures

Objective
How to use Wireshark (on Windows) to capture a driver or network issue that may only occur very infrequently, for example, to capture data on an issue which may occur only once a month.

Environment
Primary Product Line: All
Product Module: All

Procedure
To capture Wireshark data, you will need to use “dumpcap” which is a command line utility installed as part of Wireshark. It resides in the Wireshark root folder (e.g. C:\Program Files\Wireshark).
 
In order for the system to find dumpcap, you will need to include it as part of the Windows PATH environment variable, or explicitly specify the path.
 
To explicitly specify the PATH, you may need to include the path portion in double quotes (e.g. “C:\Program Files\Wireshark\dumpcap” -i 3  -q  -b filesize:200000  -b files:5000 -B 1024  -w d:\traces\mytrace.pca).

We use the duration keyword in place of filesize to specify a length of time (in seconds) to spend filling each file (for example, one hour, or 3600 seconds). And to avoid eventually filling the entire hard disk with capture files, we can include the files parameter to set up a ring buffer: Once the maximum number of files have been saved, the oldest file is deleted and a new empty file is created in its place. The example below shows how we can instruct dumpcap to maintain a rotating record of the last 24 hours worth of traffic:

dumpcap -i 3 -q -b duration:3600 -b files:25 -w d:\traces\mytrace.pcap
 
We can also specify filters to limit the types of traffic captured by dumpcap. For example, the following command captures only DNS traffic destined to or coming from 169.16.22.120:

dumpcap -i 3 -q -b duration:3600 -b files:25 -f "host 169.16.22.120" -w d:\traces\mytrace.pcap

Where:
                -i = interface number (determined by entering dumpcap -D in a command prompt)
                -q = quiet mode, eliminates displaying packet count
                -b filesize:n, is the file size to create in KB
                -b duration:n, is the amount of time to run
                -b files:n, is the number of files of the above size to create
                -B n, is the size of the kernel buffer to use.
                -w <path>.pcap is the location to write the output files. The path specified must exist.
 
A full description of dumpcap options can be found in the Wireshark root folder, specifically, in the file dumpdcap.html (C:/Program Files/Wireshark/dumpcap.html)

In addition, a full description of the filter syntax is available in the Pcap-CaptureFilters hyperlink.
 
Additional Notes:

  1. It is NOT recommended that you save logs to the system drive, you should use a non-system, such as drive D for this capture. If a non-system drive does not exist you can also use a USB drive.

  2. The filesize on a 64bit system is optimal at 200MB (200000). For a 32bit system, the optimal value is 50MB (50000) or 100MB (100000).

3. The files saved will be in ISO format. For example, assuming the files were saved using  the following command line:

dumpcap -i 3 -q -b duration:3600 -b files:25 -w d:\traces\mytrace.pcap

the contents of the d:\traces folder would contain files with a sequence number and timestamp as follows:

mytrace_00001_20170626164602.pcap

.
.
mytrace_00024_20170627154602.pcap

Where:

00001 = file sequence number
2017 = year
0626 = month/day
164202 = hour/min/sec in 24h format

The above time also indicated when the file capture was "started".

CC Testing:

Tested with: Dumpcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)

System OS tested on: Microsoft Windows 10 Pro
Version 10.0.19044 Build 19044

Procedure and commands used:

  1. Decide which interface to capture the packets from using the output from dumpcap -D.

  2. Take the first number of that line which states the interface one wants to capture packets from (in our case it is the number 8 as we want to capture from Ethernet 5)

  3. Specify this number as in the following command after the -i parameter

  4. Start capturing packets from the interface using: dumpcap -i 8 -q -b duration:10 -b files:5 -w d:\trace.pcap

Description:

I set dumpcap up to capture and store 5 files at maximum, each file is captured for 10 seconds (this duration was chosen purely for testing) on Ethernet 5. The interface number was specified according to the output of dumpcap -D.

Result: The Files were saved as requested on the USB thumb drive (only 5 files were saved). See following screen capture (note the files names starting with trace_00003 to trace_00007).

Tip: Depending on the network traffic and optional capture filter you are using files can grow in size very quickly, so care has to be taken as not to overwhelm the device RAM or storage when deciding on the filesize or duration parameters as well as the number of files to be stored.

Screen capture using dumpcap and resulting files

 

CAN'T FIND YOUR ANSWER? CLICK HERE TO CONTACT SUPPORT

This solution was provided to you by Clear-Com via a question submitted to us by customers like you. If your question wasn’t answered, you need help or you have a recommended solution for our database, please send us an email at support@clearcom.com

The information on this page is owned by Clear-Com and constitutes Clear-Com’s confidential and proprietary information, may be used solely for purposes related to the furtherance of Clear-Com’ business and shall not be disclosed, distributed, copied or disseminated without Clear-Com’s prior written consent. Click Here for Clear-Com's privacy statement.