Using Dumpcap for Long-term Capture
There are often times when we might want to capture network packets for long periods but this isn't practical with Wireshark. Fortunately, the Wireshark suite does include a tool that can do it, and that tool is dumpcap.
I'm sure you've had the situation where you been asked to investigate a problem that only happens once a week. You'd love to get a packet capture when the problem occurs, but how? Wireshark has a ring buffer capability that could be used but there are problems:
If the trace gets stopped due to a scheduled network change, who will restart it? Will the person on shift know how to restart Wireshark and can they be trusted to start it with the correct settings?
As Wireshark runs it decodes packets and its data structures grow. This causes performance issues and eventually Wireshark may simply run out of virtual memory and crash.
Luckily there is a simple answer.
Capturing with Dumpcap
When you start a Wireshark capture, Wireshark actually starts a capture program called dumpcap. The great thing is that we can use dumpcap directly from the command line.
Dumpcap doesn't decode the packets as it captures and soit's memory use remains constant. That means we can run it for days, weeks or months.
In this video we look at dumpcap in detail; how it works, how to use it and when to use it.
We've had great success capturing in this way. Just before Christmas last year (2014) we started dumpcap on three Windows servers. We captured the data we needed, did the analysis and found the problem. We then restarted the captures in case further problems occurred. In May this year the customer called to ask if we could see if we had network captures for a new problem. We checked the capture units and found that they had all been capturing continuously for 5 months.
Dumpcap is a great tool - you should get into it.