Posts Tagged ‘dumpcap’

How to run a wireshark capture on a device without crashing it from over memory utilization | ShoreTel

Friday, May 30th, 2014
Details
Wireshark is a great network packet capture and analysis tool. Its graphical interface uses copious amounts of memory, causing Wireshark to crash after some period of time capturing packets. The crashes may be delayed somewhat by using the packet capture filter (the packet display filter does not help). Use Wireshark for:

  • short periods of time
  • in low-throughput environments
  • for offline packet analysis of packet-capture files.
Answer
For long-term packet capture, use dumpcap.exe (included with Wireshark). It runs independently of Wireshark to capture packets to a file or series of files on disk.
Wireshark must be installed on the server before starting these steps:

  1. Create a directory on the server to hold the files (i.e. c:\PCAP_files\)
  2. Open a command window and navigate to the Wireshark install directory

    User-added image

  3. Run “dumpcap.exe –D” to identify interface number

    User-added image

  4. Start captures by running the following command “dumpcap -i 1 -b duration:1800 -b files:12 -w” “c:\PCAP_files\DVS.pcap” (-i equals the interface number from step 3, -b duration equals times in seconds, -b files equals the number of files before it overwrites -w equals the folder created in step one plus a file name) Must leave the command window open and to stop the captures use Ctrl-C

    User-added image

via ShoreTel | Support – How to run a wireshark capture on a device without crashing it from over memory utilization.