Solved

Run Wireshark as a service / autorotate capture logs?

Posted on 2014-01-23
4
3,205 Views
Last Modified: 2014-02-16
Is it possible to automate Wireshark to run as a Windows Service?  

What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.

Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.

If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.  

Is anyone doing anything like this proactively?
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Dan Craciun earned 500 total points
ID: 39805022
You probably should read this, on how to start Wireshark from command line (or from a batch that runs at startup): https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

In particular, you'll need the -k option (start capture immediately) and some form of ring buffer, with -a and -b

HTH,
Dan
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39805253
So this led me down quite a rabbit hole, thank you....

what I'm trying to do is create a passive VOIP monitor on a dedicated workstation.  It seems that Wireshark is just a fancy wrapper for DUMPCAP.EXE....do you know if DUMPCAP can capture automatically at startup and use ringbuffer mode?  

Please let me know if you have any recommended startup options, I'd really like to have this as a passive probe that can go back several hours / days / weeks depending on storage and volume of traffic at the location.

Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39809713
not sure your budget, but you could look at VOIP Monitor (www.voipmonitor.org).  The product is open source so you get the core for free but with a fairly reasonable rate you get commercial support and more codecs.  It provides a very nice interface and makes it much easier to do voip analysis.  just a thought anyway.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39837763
Here's what I ended up doing, and this works perfectly, automatically, and perpetually on any windows workstation or server...and it's free!

1.  Install Wireshark
2.  Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3.  Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4.  Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.

The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.

VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
what is mstp 6 68
Certification Follow-up 2 63
Sonos and 5ghz 14 53
VLAN Questions 3 20
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question