Processing Dumpcap Ring Buffer Files with Wizz
If you read my last blog you'll remember that we discovered how we can use dumpcap for long-term capture. So now you have a couple of hundred trace files how on earth do you extract the useful stuff? Read on.
We saw in the last blog that we can configure dumpcap with a ring buffer so that we can run a continuous capture until the problem we are investigating occurs.
The chances are that once the problem has occurred we will just want to extract the trace entries for one user.
Wizz is a simple Windows batch command script file that filters multiple trace files and delivers the data we are looking for. In the following video I'll demonstrate using Wizz to process dumpcap ring buffer files.
Why do this with Windows Batch Scripting? That's a good question, particularly as batch scripting functionality is very limited.
At Advance7 we always try to write these utilities in a way that avoids the installation of any additional programs or features. Because we often need to work quickly in a live production environment we need to use a very light touch. We chose to write this as a batch script as it's the lowest common denominator; all Windows machines can execute a .bat file. Now PowerShell is installed as standard on more recent Windows releases we will probably switch to that, but at the moment there are still Windows 2003 servers out there and PowerShell isn't installed by default on these earlier releases.
Wizz is available totally free of charge from the Network Trace Capture Guide, or Network Trace Analysis Guide sections of the TribeLab site. It isn't elegant, and it's a bit slow when processing hundreds or thousands of files, but it's robust, simple to use and it does the job.