We are running sip and RTP stream captures that are being sent to a Windows capture server using 10 Gig Fiber. This is the only thing we are using it for. What we are finding is there seems to be no way to change the defaults. For example, in Help - About Wireshare - Folders, the default for "File" dialogs, goes to "My Documents" folder. Is there a file that can be modified in Wireshark to change this directory? If no, is there an environmental variable we can change in windows that would allow this directory to change on startup? Second question, Since we are doing SIP/RTP captures, we select are selecting the same options every time in the Wireshark Capture Options window. I can modify the Capture and Display options in the C:Documents and SettingsxxxApplication DataWiresharkpreferences file, but additionally I would like the Capture Filter to default to "udp port 5060", I would always want the capture file to be named capture.cap and default to a different directory than "My Documents" in windows. Lastly, I always want "Use multiple files" selected and "Next file ever" checked and defaulted to 100 megabytes and Ring buffer unselected. Is there any way to accomplish any of this? asked 13 Jan '11, 10:17  pmatthews0104 |
3 Answers:
Maybe you might consider doing your captures through the command line tool dumpcap.exe instead of running Wireshark (which calls dumpcap when starting a capture anyway, passing a couple of parameters to it depending on your capture options dialog settings). If I were you I'd write a small script that calls dumpcap with your favorite parameters. That would also reduce overhead on the capture system because it can fully concentrate on receiving frames and writing them to disk. Dumpcap.exe is installed with Wireshark in the same directory as the wireshark.exe. If you call it with dumpcap.exe -h you'll get a list of all parameters, and basically all you want to do is possible using those. An example (which I admit I haven't tested, just to give you an idea) would be: dumpcap -f "udp port 5060" -w <pathyouwant>capture.cap -b filesize:100000000 answered 13 Jan '11, 11:50  Jasper ♦♦ |
Here's the batch file I came up with if anyone is interested in any of the pieces of it. Basically, it cleans out a directory, then starts a sip capture for udp port 5060. From there, you plug in a phone number and wireshark will fire up using a Display filter of the phone number variable you entered. This allows you to find an RTP port associated with a SIP invite. Then when you close out wireshark, you go back to the command prompt and enter in the udp port of the RTP stream you are looking for. It will then fire up a live capture of the RTP stream. ECHO OFF CLS ECHO Moving Any Existing Files in "G:SIP Captures" to "G:SIP CapturesArchive" ECHO. ECHO. Explorer "G:Sip Captures" move /Y "G:SIP Captures*.*" "G:SIP CapturesArchive" cd "G:SIP Captures" ECHO. ECHO. ECHO Hit any Key to Start Capturing ECHO. pause START "Wireshark" "C:Program FilesWiresharkdumpcap.exe" -i DeviceNPF_{E4E0896B-49C1-4945-B3A6- C094D9548B6C} -f "udp port 5060" -w "G:SIP CapturesSIP.cap" -b filesize:10000000 G: pause CLS setLocal EnableDelayedExpansion for /F %%a in ('dir /b *.cap') do ( set str=%%a set Filename=%%a ) c: cd \ ECHO. ECHO. ECHO Type The Phone Number You're Looking for ECHO. ECHO. ECHO ............................................... ECHO. ECHO Put the phone number in this format: 1555XXXXXXX ECHO. ECHO ............................................... ECHO. ECHO. SET /P Phone=Phone Number is: ECHO %Phone% cd "c:Program FilesWireshark" wireshark.exe -r "G:SIP Captures%Filename%" -R "sip.msg_hdr contains %Phone% and sip.Request-Line contains INVITE" pause ECHO. ECHO Enter the UDP Port from SIP - Message Body - Media Description ECHO. SET /P UDP=UDP Port is: START "Wireshark" "C:Program FilesWiresharkwireshark.exe" -i DeviceNPF_{E4E0896B-49C1-4947-B3A6-C094D9544B8A} -f "udp port %UDP%" -w "G:SIP CapturesRTP.cap" -b filesize:10000000 -k pause answered 18 Jan '11, 06:09 pmatthews0104 Nice. Just a little comment: your executable paths are lacking one backslash between the Wireshark directory and the actual executable. I'm pretty sure that they were in your copy&paste, but the message formatter "stole" it because it's used as an escape char. Try editing your code and replace the backslash with double backslashes, I think that should work. (18 Jan '11, 06:26) Jasper ♦♦ |
Strange, they were in the script when I copied them. Not sure why they didn't show up on the board. Does the board allow / characters? Anyway, thanks for the note. answered 19 Jan '11, 07:45 pmatthews0104 Oops, meant to do a backslash. Trying now.... \ (19 Jan '11, 07:47) pmatthews0104 |
Thanks Jasper, I'll give that a try