Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Run Wireshark as a service / autorotate capture logs?

Posted on 2014-01-23
4
Medium Priority
?
3,699 Views
Last Modified: 2014-02-16
Is it possible to automate Wireshark to run as a Windows Service?  

What I need is for a Windows box running Windows XP or Windows 7 to capture network packets ALL THE TIME, automatically restarting wireshark if the system is restarted.

Additionally, I would like for the capture to auto-rotate if possible, where I set the maximum amount of storage that a capture would occupy and have the oldest captures purge so that the newest captures could come in.

If there is no option to auto-rotate, I could maybe automate the restarting of Wireshark every night and have a batch file auto-purge old captures at this time.  

Is anyone doing anything like this proactively?
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 35

Accepted Solution

by:
Dan Craciun earned 2000 total points
ID: 39805022
You probably should read this, on how to start Wireshark from command line (or from a batch that runs at startup): https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

In particular, you'll need the -k option (start capture immediately) and some form of ring buffer, with -a and -b

HTH,
Dan
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39805253
So this led me down quite a rabbit hole, thank you....

what I'm trying to do is create a passive VOIP monitor on a dedicated workstation.  It seems that Wireshark is just a fancy wrapper for DUMPCAP.EXE....do you know if DUMPCAP can capture automatically at startup and use ringbuffer mode?  

Please let me know if you have any recommended startup options, I'd really like to have this as a passive probe that can go back several hours / days / weeks depending on storage and volume of traffic at the location.

Thanks!
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39809713
not sure your budget, but you could look at VOIP Monitor (www.voipmonitor.org).  The product is open source so you get the core for free but with a fairly reasonable rate you get commercial support and more codecs.  It provides a very nice interface and makes it much easier to do voip analysis.  just a thought anyway.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 39837763
Here's what I ended up doing, and this works perfectly, automatically, and perpetually on any windows workstation or server...and it's free!

1.  Install Wireshark
2.  Write a batch file that starts DUMPCAP.EXE in ring buffer mode (dumpcap -w CAPNAME -b filesize:51200 (50MB, YMMV) -b files:1000)
3.  Write a batch file that checks if DUMPCAP.EXE is running (tasklist | find "dumpcap.exe", if %errorlevel% = 1 then run start-dumpcap.bat) and have this run every HOUR in case DUMPCAP is stopped or crashes.
4.  Write a batch file that clears all archived ZIPS, ZIPS all .PCAP files to a new ZIP archive, and then FTP's the archive to a target FTP daily.

The result is a system of batch files that captures on the target network and RESTARTS the capture even if it is stopped or crashes, and uploads the results to a listening FTP site.

VOIP MONITOR looked REALLY GREAT, but alas it only runs on Linux and I could not easily make that portable, even with VMWare player.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question