TLDR; Is there a way to start a capture automatically upon opening Wireshark? I work with multiple windows 7 pcs where the people using them are constantly switching in and out. It is our protocol to have a user restart the machine when they begin their session. I've hosted a wireshark shortcut in the startup folder so wireshark opens when the computer is booted on but it still requires the user to manually start the capture. Most of our users know to do this by habit but I'd like to remove this step by automatically starting a capture when Wireshark opens. Is there some way to do this? Our pcs only have one interface option so there is not the concern they would capture the wrong interface. Thanks! asked 06 May '14, 13:30  dude213 |
2 Answers:
Sure, just run Wireshark from a command prompt like this: You can determine the interface ID by running "Wireshark -D" first. answered 06 May '14, 13:44  Jasper ♦♦ |
We always use the ring buffer because we need to capture specific time durations of traffic and need the ability to go back in history to review traffic when an issue is reported. The dumpcap worked very well for our requirement. For reference, here's the dumpcap commandline I used in a batch file. 200 10MB files. About 2GB of HD space. The script before the dumpcap will minimize the DOS/cmd window at start up. *I had to run wireshark -D first to get the NIC ID for the -i argument. answered 25 Jun '14, 12:01  ZETRON-CF edited 25 Jun '14, 14:04  Kurt Knochner ♦ |
How do you turn off the Display Options from the command line? I'm not using -S or -l and live capture/scrolling is displayed in WS.
I want to turn off the Display Options because it tends to utilize more PC resources and in some cases, WS will crash when running for a few days. Turning off the live display resolves the issue.
Also, is there a command line argument to minimize WS when you start it from the command line.
If you turn off the live display, does that prevent Wireshark from crashing at all, or does it just mean that it crashes when you stop the capture and Wireshark tries to read the several days worth of traffic that it's been capturing?
When I have all 3 Display Options unchecked, I can run Wireshark for weeks/months without it crashing. When I stop WS, it stops normally. With Display Options enabled, I'm lucky to get a few days out of WS before it crashes. We cycled through a 10mb pcap file about every minute. So we run a ring buffer of 10mb files at 200 files. Lots of hard drive space.
As I researched how to turn off the Display Options, I found that dumpcap may be the solution I'm looking for. Dumpcap runs in the DOS/command window and you can add commands in a batch file to run minimized so the user never sees it on the screen.
**Both wireshark and dumpcap have command line arguments for setting up a ring buffer/files.
With a ring buffer, or capturing to a single file? If it's capturing to a single file, you'll probably crash with an out-of-memory indication if you stop the capture and Wireshark then tries to read in a capture file with weeks or months of traffic.
Yes, Wireshark, the program, is all about the GUI, so, if you just want something that captures traffic in the background and doesn't show anything to the user, it's the wrong choice; dumpcap is a more appropriate choice there.