This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture the logs for a particular windows service installed on the server

0

Hi Team, We have installed wireshark on our one of the windows server, we need to capture the logs for a particular windows service installed on the server say "MyService". We need to capture all activity log related to this windows service. Can we capture as explain above?.

asked 09 Feb '16, 02:05

SHAMBHU's gravatar image

SHAMBHU
6112
accept rate: 0%


One Answer:

0

Not directly. Wireshark captures traffic on one or more network interfaces, and can use capture filters to limit the traffic captured, but there is no traffic filter for a service or process ID.

If the service is (or can be configured to be) the only user of a particular port or protocol or network address or network interface, then capture filters can be used to isolate the traffic for the service.

Microsoft Message Analyser or Sysinternals Process Monitor may allow you to capture the data you seek in a different format, some MA captures can be exported to Wireshark.

answered 09 Feb '16, 02:38

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Grahamb,

Thanks for your quick reply. But i observed when a windows service runs its entry goes to task manager under services tab with PID (Process ID) and as we have a wireshark filter tcp.port==1234 in this way can we not have the log for specific service only??

(09 Feb '16, 02:52) SHAMBHU

The PID and tcp.port (or udp.port, or any other protocol port) are two distinct things and there is no static mapping between the two. If you know at which port of which protocol the service listens, you can capture only packets to/from that port, but you cannot determine the port number from the PID. Maybe some Windows utility does show you which process is bound to which socket.

(09 Feb '16, 03:03) sindy

Hi sindy,

Thanks for correcting me. Means any how we can not retrieve log related to particular windows service using Wireshark. If not can you please tell me any other tool which can extract the log related to specific windows task on a given server where wireshark is installed.

Thanks for your support.

(09 Feb '16, 03:18) SHAMBHU

As I said, Wireshark has no facilities for restricting captures to a particular PID, the other tools I mentioned do.

(09 Feb '16, 03:19) grahamb ♦

@SHAMBHU, I am still a little bit confused by your use of the word "log". Do you want to

  • capture packets sent and received over the network by that service? If so, use one of the tools suggested by @grahamb to capture the traffic, and you may then analyse the captures using Wireshark.

  • get the application logs (the text information generated by the service, commenting about its operation and eventual trouble encountered)? If so, Wireshark is not the tool for the task and you have to use Windows' tools to show only the log messages coming from that service instead of showing messages from all.

(09 Feb '16, 03:25) sindy

Hi sindy/Grahamb,

I think m getting yours point, and @sindy: Log means i wanted to say is "Packets sent and received over the network by a particular service here in this case my window service name is say MYService" as u mention in first statement. I think then i have to go for a window utility definitely as per your suggestion.

Can u tell me the freely available utility to get my result? or any other idea by which i can capture the trace related to specific windows service on a particular server.

(09 Feb '16, 03:34) SHAMBHU

@SHAMBHU, your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

I gave a couple of links in my answer.

(09 Feb '16, 03:36) grahamb ♦

Hi Grahamb,

Yes thanks for your support. Will proceed as per your suggestion.

Thanks

(09 Feb '16, 04:07) SHAMBHU
showing 5 of 8 show 3 more comments