Hi, I'm using a single command with dumpcap to trace the network between two host. This command is used in a batch file on Windows and I would like the whole thing to be the smallest possible. I'm currently using PortableWireshark which is about 56MB. Is there a way to make this even smaller? I just need the package for dumpcap command line and install of WinPcap. Thank you asked 05 Apr '14, 07:01  Javo |
2 Answers:
As far as I can tell (by running Process Explorer to see the DLLs used by dumpcap.exe while running) it needs the following DLLs from the Wireshark installation directory:
So I guess if you bundle them with dumpcap.exe and a WinPcap installer you should be good to go. I didn't test this myself, though, but I'm pretty sure you can take over from here. answered 05 Apr '14, 12:22  Jasper ♦♦ |
If you just need a 'low profile' capture tool, windump is what you should use. You will just need WinPcap and a single windump binary (0.5 Mbyte). Regards answered 05 Apr '14, 13:19  Kurt Knochner ♦ Not sure, but I don't think windump is able to write the pcap-ng file format, which would make it inferior to dumpcap. I would always recommend to avoid the pcap file format wherever possible. (05 Apr '14, 14:14) Jasper ♦♦ Neither tcpdump (except on later versions of OS X) nor WinDump can currently write pcap-ng files. However, if you're only capturing on one interface, the advantages of pcap-ng over pcap for capturing are somewhat limited, and, if you want to use capabilities such as annotating captures, you can read a pcap file into Wireshark, annotate packets, and then write the capture out as a pcap-ng file. So I wouldn't recommend avoiding pcap whenever possible; I'd only recommend avoiding it if you need one or more of pcap-ng's capabilities in the particular use case. If the feature isn't needed, or isn't available, when capturing (dumpcap doesn't, for example, write out per-packet comments), there's no need to avoid pcap format when capturing. (05 Apr '14, 14:30) Guy Harris ♦♦ Why use pcap if pcap-ng is available? Makes little sense to me going for the weaker option... :-) I'm not trying to start a war here (we have way too many of those already ;-)), but my rule of thumb is to always use the capture format that preserves the most information from the time of the capture, and pcap should not be that format unless using very outdated capture software. (06 Apr '14, 09:01) Jasper ♦♦
If the program that drops fewer packets supports only pcap? Currently, in at least one test on Linux, tcpdump dropped fewer packets than dumpcap, and I suspect the problem isn't Linux-specific. Yes, we should fix that, but, for now.... In addition, just because pcap-ng can save more information, that doesn't mean it does save more information when you use some particular version of some particular capture program. (06 Apr '14, 10:19) Guy Harris ♦♦
No, it does not. But the OP requested a method to minimize the size of the capture tool footprint. In that respect, it's hard to beat windump ;-) He/she did not mention support for pcap-ng.
Hm.. honestly, in the last couple of years I have had very few situations where pcap-ng was really needed or helpful. For the 'typical' network troubleshooting situation (I guess 98-99%), pcap-ng does not offer any additional value. Don't get me wrong, it's nice to have the additional information about the OS, interfaces, comments and everything else but nothing of these are vital to analyze the problem hidden in the capture file nor do they speed up things. (06 Apr '14, 15:02) Kurt Knochner ♦ |
it works like a charm! thanks