Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Run Wireshark as a service / autorotate capture logs?

Posted on 2014-01-23
4
Medium Priority
?
3,867 Views
Last Modified: 2014-02-16
Is it possible to automate Wireshark to run as a Windows Service?  

What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.

Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.

If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.  

Is anyone doing anything like this proactively?
0
Comment
Question by:jkeegan123
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Dan Craciun earned 2000 total points
ID: 39805022
You probably should read this, on how to start Wireshark from command line (or from a batch that runs at startup): https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

In particular, you'll need the -k option (start capture immediately) and some form of ring buffer, with -a and -b

HTH,
Dan
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39805253
So this led me down quite a rabbit hole, thank you....

what I'm trying to do is create a passive VOIP monitor on a dedicated workstation.  It seems that Wireshark is just a fancy wrapper for DUMPCAP.EXE....do you know if DUMPCAP can capture automatically at startup and use ringbuffer mode?  

Please let me know if you have any recommended startup options, I'd really like to have this as a passive probe that can go back several hours / days / weeks depending on storage and volume of traffic at the location.

Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39809713
not sure your budget, but you could look at VOIP Monitor (www.voipmonitor.org).  The product is open source so you get the core for free but with a fairly reasonable rate you get commercial support and more codecs.  It provides a very nice interface and makes it much easier to do voip analysis.  just a thought anyway.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39837763
Here's what I ended up doing, and this works perfectly, automatically, and perpetually on any windows workstation or server...and it's free!

1.  Install Wireshark
2.  Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3.  Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4.  Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.

The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.

VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question