Solved

Run Wireshark as a service / autorotate capture logs?

Posted on 2014-01-23
4
2,919 Views
Last Modified: 2014-02-16
Is it possible to automate Wireshark to run as a Windows Service?  

What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.

Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.

If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.  

Is anyone doing anything like this proactively?
0
Comment
Question by:jkeegan123
  • 2
4 Comments
 
LVL 34

Accepted Solution

by:
Dan Craciun earned 500 total points
ID: 39805022
You probably should read this, on how to start Wireshark from command line (or from a batch that runs at startup): https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

In particular, you'll need the -k option (start capture immediately) and some form of ring buffer, with -a and -b

HTH,
Dan
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39805253
So this led me down quite a rabbit hole, thank you....

what I'm trying to do is create a passive VOIP monitor on a dedicated workstation.  It seems that Wireshark is just a fancy wrapper for DUMPCAP.EXE....do you know if DUMPCAP can capture automatically at startup and use ringbuffer mode?  

Please let me know if you have any recommended startup options, I'd really like to have this as a passive probe that can go back several hours / days / weeks depending on storage and volume of traffic at the location.

Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39809713
not sure your budget, but you could look at VOIP Monitor (www.voipmonitor.org).  The product is open source so you get the core for free but with a fairly reasonable rate you get commercial support and more codecs.  It provides a very nice interface and makes it much easier to do voip analysis.  just a thought anyway.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39837763
Here's what I ended up doing, and this works perfectly, automatically, and perpetually on any windows workstation or server...and it's free!

1.  Install Wireshark
2.  Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3.  Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4.  Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.

The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.

VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now