OK, so here's my strange setup.
I have an XP machine that we need to monitor the traffic on. This machine runs a special program under a special User ID. When that ID is logged on, the whole machine is locked down and it loads up the program it runs. There is no way to get to the start bar or the desktop or anything.
I can log onto this machine as the admin and have normal access to everything. I'm wondering if there's some way I can start up a capture under the admin account, then log off and on as the user that we need to monitor, let it run for a while, then log off and back on as the admin to save the file.
When the special user is logged on, I can remote into the machine and run some command line commands through the remote control software so it might work to just do it that way if that's easier. If so, does someone have a link to all the command line commands I'd need to use to start the capture and then stop it and save off the file?
asked 05 Dec '11, 07:18
I'm not sure if Wireshark will continue to capture if the user that started the capture logs off, because then the programs will shut down (except you're actually talking about "switching" users, not "logging off").
It should work from a remote desktop session though, you can use dumpcap.exe to do the capture for you:
By the way, dumpcap.exe can be found in the same directory as the Wireshark executable.
answered 05 Dec '11, 07:27
edited 05 Dec '11, 07:28
If you have Fast User Switching enabled on the machine, you can do roughly as you described:
I would recommend you use a separate machine to actually perform the capture (unless this is not possible/prohibitive in your environment). You can read the Capture Setup wiki article for some more information as to why.
answered 05 Dec '11, 07:28