Run Wireshark as a service / autorotate capture logs?
Is it possible to automate Wireshark to run as a Windows Service?
What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.
Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.
If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.
Is anyone doing anything like this proactively?
What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.
Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.
If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.
Is anyone doing anything like this proactively?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
not sure your budget, but you could look at VOIP Monitor (www.voipmonitor.org). The product is open source so you get the core for free but with a fairly reasonable rate you get commercial support and more codecs. It provides a very nice interface and makes it much easier to do voip analysis. just a thought anyway.
ASKER
Here's what I ended up doing, and this works perfectly, automatically, and perpetually on any windows workstation or server...and it's free!
1. Install Wireshark
2. Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3. Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4. Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.
The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.
VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
1. Install Wireshark
2. Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3. Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4. Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.
The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.
VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
ASKER
what I'm trying to do is create a passive VOIP monitor on a dedicated workstation. It seems that Wireshark is just a fancy wrapper for DUMPCAP.EXE....do you know if DUMPCAP can capture automatically at startup and use ringbuffer mode?
Please let me know if you have any recommended startup options, I'd really like to have this as a passive probe that can go back several hours / days / weeks depending on storage and volume of traffic at the location.
Thanks!