Follow Me On...

Entries in Networking (1)

Wednesday
Aug082012

dumpcap Reference / Helper Bat File for Long Term Packet Captures

When you’re trying to debug a network device over a long period of time… Wireshark just wouldn’t cut it. It wasn’t designed for this purpose and will consume too much memory on your system. Not to worry, Wireshark does come with a command line utility which solves this deficiency. The utility is called dumpcap and with a simple command you can set it up to write packets to a series of files and roll over once you get to the end (a circular buffer).

Heres an example dumpcap line to run a capture that will create 1 log per day for 14 days and will only record traffic from host with IP = 10.32.1.234.  It records on network interface 1 by default. 

“c:\Program Files\Wireshark\dumpcap.exe” -b duration:86400 -b files:14 -f “host 10.32.1.234” -P -w capture.pcap

Here is a little batch file script I wrote to make this easier / repeatable.  It’s got some handy features like it will prompt you for IP to filter if you run without any arguments.  Otherwise, you can pass an argument in on cmd line or set a default at the top of the file.  

dump_packets.bat

::
:: Use to log packets over a long period of time from a particular device.
:: Creates a new file every 1 day for a total of 14 days. -f is capture filter, -w is the filename.
::
:: USAGE: Passing an argument will allow you to set the host IP.  Otherwise, you will be prompted.
::        Set DEFAULT_HOST to not have to specify any arguments / answer prompts.
:: 

@set DEFAULT_HOST=
@IF “%1” == “” GOTO SkipArgSet
@   set HOST=%1
   @echo Host is now %HOST% (Set from command line argument)
   @GOTO SkipPrompt
:SkipArgSet
@IF “%DEFAULT_HOST%” == “” GOTO SkipDefaultSet
   @SET HOST=%DEFAULT_HOST%
   @echo Host is now %HOST% (Set from DEFAULT at top of file)
   @GOTO SkipPrompt
:SkipDefaultSet
   @SET /p HOST=Enter the IP Address of the host you want to capture from:  
:SkipPrompt

@TITLE DUMPCAP Capture of %HOST% In Progress

@echo.
@echo ============[ INTERFACES ]===============
@”c:\Program Files\Wireshark\dumpcap” -D
echo.
@SET /p INTERFACE_NUMBER=Type Interface Number:


@echo.
“c:\Program Files\Wireshark\dumpcap” -b duration:86400 -b files:14 -f “host %HOST%” -i %INTERFACE_NUMBER% -P -w capture.pcap
@TITLE DUMPCAP stopped
@pause

Sample Output


D:\packet_captures>dump_packets.bat
Enter the IP Address of the host you want to capture from:  10.32.1.234

============[ INTERFACES ]===============
1. \Device\NPF_{1F70299B-0F5A-4F7D-BEC2-C7A36B7AC5A4} (Broadcom L2 NDIS client driver)
2. \Device\NPF_{2FC895CF-6EB7-4A1A-A5F6-23601DAAC8F1} (Broadcom L2 NDIS client driver)
3. \Device\NPF_{6F12DF50-73AB-4859-9B5C-469B7EACD28C} (Broadcom L2 NDIS client driver)
4. \Device\NPF_{CEFE7F77-A53E-4FCC-9B3D-975DBAB66012} (Network Teaming Intermediate Driver (NTID))
5. \Device\NPF_{900DE9A5-1BED-4A3A-96EC-F0D391CEA622} (Broadcom L2 NDIS client driver)


Type Interface Number:1


D:\packet_captures>”c:\Program Files\Wireshark\dumpcap” -b duration:14400 -b files:14 -f “host 10.32.1.234” -i 1 -P -w capture.pcap
Capturing on \Device\NPF_{1F70299B-0F5A-4F7D-BEC2-C7A36B7AC5A4}
File: capture_00001_20120808205029.pcap
Packets: 346

Complete Command Reference: http://www.wireshark.org/docs/man-pages/dumpcap.html