EU’s Parliament has awakened and is taking cyber security seriously! (by The Oldcommguy®)
It’s Never Too Early to Prepare for the Holiday Season – Why Businesses Need to Run Load Tests Now (by Lusine Khachatryan)

Using Dumpcap for Long-term Capture (by Paul Offord)

There are often times when we might want to capture network packets for long periods but this isn't practical with Wireshark.  Fortunately, the Wireshark suite does include a tool that can do it, and that tool is dumpcap.

Introduction

I'm sure you've had the situation where you been asked to investigate a problem that only happens once a week.  You'd love to get a packet capture when the problem occurs, but how?  Wireshark has a ring buffer capability that could be used but there are problems:

  • If the trace gets stopped due to a scheduled network change, who will restart it?  Will the person on shift know how to restart Wireshark and can they be trusted to start it with the correct settings?

  • As Wireshark runs it decodes packets and its data structures grow.  This causes performance issues and eventually Wireshark may simply run out of virtual memory and crash.

Luckily there is a simple answer.

Wireshark_and_dumpcap

Capturing with Dumpcap

When you start a Wireshark capture, Wireshark actually starts a capture program called dumpcap.  The great thing is that we can use dumpcap directly from the command line.

Dumpcap doesn't decode the packets as it captures and so ...

... it's memory use remains constant.  That means we can run it for days, weeks or months.

In this video we look at dumpcap in detail; how it works, how to use it and when to use it.

 

[MP4 download here in case YouTube is blocked]

 

We've had great success capturing in this way.  Just before Christmas last year (2014) we started dumpcap on three Windows servers.  We captured the data we needed, did the analysis and found the problem.  We then restarted the captures in case further problems occurred.  In May this year the customer called to ask if we could see if we had network captures for a new problem.  We checked the capture units and found that they had all been capturing continuously for 5 months.

Dumpcap is a great tool - you should get into it.

Best regards...Paul

 

Picture of Paul OffordAuthor Profile - Paul Offord has had a 37-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems.

Paul and the problem analysts at Advance7 help IT support teams in many business sectors to troubleshoot difficult performance and stability problems. Paul played a key role in the development of the RPR problem diagnosis method and is currently leading the TribeLab project to explore new ways to help IT support people learn troubleshooting skills.

Comments