This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not capturing all data?

0

I am trying to isolate a network issue by using Wireshark. I am capturing packets from a PC using the dumpcap commands. I want to find out when a RDP session starts and stops. Using the dumpcap at a cmd prompt, I see Wireshark filling up the directory with .pcap files. After stopping the capture and using the filter tcp.port eq 3389, I can see the start of the RDP session. Let’s say the SYN is in file 1.pcap. Throughout file 1.pcap, I see ACKs, COTPs and TPKTs. However, when I review file 2.pcap, file 3.pcap, etc and use the same filter, no data displays. But I check file 20.pcap and apply the same filter, data appears!

asked 27 Aug '15, 14:16

tjcreek55's gravatar image

tjcreek55
6112
accept rate: 0%

How large are your trace file (GB) and how long (time) are they?

(27 Aug '15, 16:17) Christian_R

The trace files are 10Mb.

(27 Aug '15, 18:08) tjcreek55

Also, there were at least two trace files in a minute.

(27 Aug '15, 19:04) tjcreek55

Maybe there is just no data, because no packet has been send. Could that be?

(27 Aug '15, 21:33) Christian_R

As Christian said, maybe there was no data.

When you're working with multiple files (filesets) I recommend Jasper's great TraceWrangler tool (https://www.tracewrangler.com/). With it you can extract packets for a specific conversation spanning multiple files.

(27 Aug '15, 23:54) Uli

One Answer:

0

Christin and Uli, Thanks for the comments. And yes, it is a possibility there was no data. But, I don't know.

To further isolate this issue, I added two capture filters. Theses filters only captured frames from the host I am troubleshooting and where RDP. Example: dump cap "host 1.1.1.1" "port 3389" -i 1 -b files:10000 -b filesize:30000 c:\tjcreek55.pcap

The capture filters eliminated the multiple .pcap files in the same minute. Additionally, did not have a lot of files filling up the hard drive. The files I had only contained the frames I really wanted to see. I could clearly see, follow, and track what was going on with the TCP session. Please note, you must use quotes around the capture filter.

answered 31 Aug '15, 08:29

tjcreek55's gravatar image

tjcreek55
6112
accept rate: 0%