In this video, learn how to use a dumpcap utility that streamlines scheduling of packet captures.
One of the tricky things about troubleshooting with network protocol analysis is getting comfortable with unattended capture when you need to start a capture at a specific time. There are three ways to approach this with Wireshark:
- Write a script or macro that will navigate around the screen’s GUI and start/stop the capture.
- Use the Tshark Wireshark utility and a scheduling program
- Use the dumpcap Wireshark tool and a scheduling program
The problem with the first option is that if anything on the screen is repositioned, the script will fail. There has always been quite a debate over Tshark and dumpcap. I can safely say that when performance is a concern, dumpcap is the clear winner.
This is where DumpcapUI from Douglas A. Dietz comes in. This portable utility allows you to configure some of the more common dumpcap features using a GUI interface and configure a task in your Microsoft Scheduler.
In this video, I show how to get started with DumpcapUI.
I strongly recommend testing your configuration before scheduling or going live with any configuration and to use ring buffers for long-term capture. Also, use file size as your “Next file every” option instead of time. Unless you have a really good grasp of filtering and what traffic to expect, you have no idea how much traffic you will capture within a given time frame. Please see my previous video on large packet capture.