If you read my last blog you'll remember that we discovered how we can use dumpcap for long-term capture. So now you have a couple of hundred trace files how on earth do you extract the useful stuff? Read on.
We saw in the last blog that we can configure dumpcap with a ring buffer so that we can run a continuous capture until the problem we are investigating occurs.
C:\traces>wizz mytrace "tcp.port==445 && ip.addr==10.100.20.242" smb_traffic.pcapng Input files start: mytrace Filter is: "tcp.port==445 && ip.addr==192.168.20.242" Output file is: smb_traffic.pcapng Merge output: Yes . Processing: mytrace_00008_20150828074055.pcapng Processing: mytrace_00009_20150828074140.pcapng Processing: mytrace_00010_20150828074225.pcapng Processing: mytrace_00011_20150828074256.pcapng Moving output to specified path and name 1 file(s) moved. C:\traces>
The chances are that once the problem has occurred we will just want to extract the trace entries for one user.
Wizz is a simple Windows batch command script file ...