Is there any way I can capture all packets from my ethernet network adapter from the point where my desktop is first displayed? The reason being my pc hangs upon windows startup, for a good minute or more... I have noticed using procmon.exe that although it seems nothing is happening, procmon.exe reports svchost.exe is looking at almost every file on my computer. then after a while, this 'hang' status disappears and my startup items, as listed in msconfig then start up. Therefore, putting wireshark into my startup programs will not serve the purpose because I want to see what traffic is taking place during this apparent 'hang' at startup. I have run a full virus scan with kaspersky pure and no treats appear. Any suggestions most welcome and thank you in advance. asked 19 Sep '10, 15:49 Stezzer4298 edited 26 Sep '10, 01:53 SYN-bit ♦♦ |
2 Answers:
Wireshark, just like any other packet capturing software, can only be started after the PC has been started up. You need to use a second PC to capture the packets of the PC whose network traffic of the boot-process you want to capture. You can either use a (real) hub to duplicate the packets, a switch with mirror capabilities, a network tap or create a machine-in-the-middle machine. These options are explained on the wireshark wiki: answered 20 Sep '10, 00:23 SYN-bit ♦♦ |
If someone with rights to install a service, I'd suggest using the AutoExNT utility as supplied from the resource kits, and running dumpcap from the associated BAT file. This link provides instructions for an out-of-date OS, but they work on xp & windows 7. answered 20 Jul '12, 13:27 kcullimo |
Thank you SynBit for your explanation with reference link, I really appreciate your help and will give this a try.