This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Batch file to auto-start capturing & save logs periodically on login

0

I’m hoping for assistance in configuring Wireshark (portable) to automatically open and start capturing when a user logs in, and to save the logs files at 30 minute intervals. We are trying to run Wireshark on 20 different PC’s to track the source of random network drops. But trying to start it daily and having the user not reboot before we save the captured files is cumbersome. I have found a few articles that discuss batch files, but never on how to create one for my exact needs.

Again, my goal is to:

  • Start Wireshark when a user logins into a Windows 7 PC
  • Have the capture process start automatically
  • Have the log files saved to a specific directory at 30 minute intervals

Our PC’s are running Windows 7 & using Wireshark v1.12.1 (v1.12.1-0-g01b65bf from master-1.12)

Any help (examples) would be greatly appreciated.

Thank you….

asked 14 Dec '14, 10:25

BobSwanson's gravatar image

BobSwanson
11112
accept rate: 0%

One Answer:

1
  1. Use dumpcap to make the captures, not Wireshark as that will run out of memory. See the dumpcap man page for the options. dumpcap is installed in the same directory as Wireshark.
  2. To find out the interface number to use with the -i parameter use dumpcap -D to list the interfaces. Hopefully the interface number is the same on all machines.
  3. dumpcap takes a number of options to create multiple capture files, for 30 minute files use the parameter -b duration:1800.
  4. Use the -w path\to directory\basefile.pcapng parameter to specify the base filename, new files will be generated as basename_nnnnn_date_and_time.pcapng, where nnnnn is an incrementing number starting from 00001, and date_and_time is the dtate and time the file was created in YYYYMMDDHHMMSS format.
  5. Create a batch file (i.e. makecap.bat) that contains the dumpcap command line, e.g. path\to\dumpcap -i 1 -w path\to\basefile.pcapng -b duration:1800 and place it in the startup directory for each user, e.g. %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

answered 14 Dec '14, 14:06

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

grahamb - Thank you for this detailed example! We will work on this over the course of the next week or so and update this thread as to how it worked.

(15 Dec '14, 06:31) BobSwanson