This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

OK, so here's my strange setup.

I have an XP machine that we need to monitor the traffic on. This machine runs a special program under a special User ID. When that ID is logged on, the whole machine is locked down and it loads up the program it runs. There is no way to get to the start bar or the desktop or anything.

I can log onto this machine as the admin and have normal access to everything. I'm wondering if there's some way I can start up a capture under the admin account, then log off and on as the user that we need to monitor, let it run for a while, then log off and back on as the admin to save the file.

When the special user is logged on, I can remote into the machine and run some command line commands through the remote control software so it might work to just do it that way if that's easier. If so, does someone have a link to all the command line commands I'd need to use to start the capture and then stop it and save off the file?

Thanks.

asked 05 Dec '11, 07:18

kelemvor's gravatar image

kelemvor
1222
accept rate: 0%


I'm not sure if Wireshark will continue to capture if the user that started the capture logs off, because then the programs will shut down (except you're actually talking about "switching" users, not "logging off").

It should work from a remote desktop session though, you can use dumpcap.exe to do the capture for you:

  1. run dumpcap -d to get a list of all interfaces, write down the index of the interface
  2. run dumpcap -i <interface index=""> -w filename.pcap to capture on the interface you want and write it to a file called filename.pcap. You can optionally go for ring buffer captures, but I don't think it's necessary. You might have to filter out your remote session afterwards, but that should be easy.

By the way, dumpcap.exe can be found in the same directory as the Wireshark executable.

permanent link

answered 05 Dec '11, 07:27

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 05 Dec '11, 07:28

If you have Fast User Switching enabled on the machine, you can do roughly as you described:

  1. start Wireshark as the administrator
  2. switch users (not log off)
  3. log in as the locked down user
  4. do what you need to do
  5. log off
  6. log in as administrator again
  7. stop the capture

I would recommend you use a separate machine to actually perform the capture (unless this is not possible/prohibitive in your environment). You can read the Capture Setup wiki article for some more information as to why.

permanent link

answered 05 Dec '11, 07:28

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×86
×14
×1

question asked: 05 Dec '11, 07:18

question was seen: 5,181 times

last updated: 05 Dec '11, 07:28

p​o​w​e​r​e​d by O​S​Q​A