Dumpcap: CLI packet capture on Windows

Dumpcap is a more reliable CLI version of wireshark. I recently had an intermittent issue on a customer site that required a trace to be taken whilst the issue was happening. Inititally I tried to run a packet capture with a ring buffer to see the SIP messages that occured when the failure happened. Unfortunately, when I setup the capture and left it alone I would reconnect to the server only to find the Wireshark has bombed out some unknown time before. It was mentioned to me by the vendor of the Voice Recording software that I was trying to get the capture for that dumpcap may be more reliable than using the Wireshark GUI. As I had already been bitten by the reliability of packet capture software I wanted to ensure that if the process failed it would be restarted.

So, I had a look around the internet to find a solution. What I settled on is as follows.

First off, you will need Wireshark to be installed. The Wireshark type that you have installed (either 32-bit or 64-bit) will determine the location that you will need to run dumpcap.exe from. In my case it is in "c:Program FilesWireshark" as I am running the 64-bit version. If you were running the 32-bit version then it would be located in "c:Program Files (x86)Wireshark"

The batch file to run dumpcap

Now you need a batch file to run the dumpcap command (I have named it startCapture.bat):
"c:Program FilesWiresharkdumpcap.exe" -b files:100 -b filesize:102400 -i 2 -w "c:vrCapturevrCapture.pcap" -f "tcp port 5060"

-b denotes a buffer ring, this is the rollover part of the capture.

In the above example I am using two parameters of -b:

  • -b files: in my example I set it to 100 so there will be a total of 100 files created. Once the capture has got to file 100 it will write over the existing files from the first one. This is why it is called a rollover.
  • -b filesize: again in my example, I have set the size to 102400KB which equates to 10MB. So, once the capture file gets to 10MB it will move to the next file in the buffer ring.

-i Specifies the interface that the traffic should be captured from.
-i : for my capture it was ID 2, on the customers server it ended up being ID 6 as there were multiple interfaces in use along with NIC teams. It took some trial and error to get the correct ID for the trace.

-w Tells the capture to write to file.
-w : In mine this was "c:vrCapturevrCapture.pcap".

-f This is the capture filter.
-f : If you want to capture all the traffic for the interface then do not include this. If you want to filter out a particular type of traffic then you can use the filter. In my example I was only interested in seeing the SIP flows so the only traffic I needed was on tcp port 5060. If you are able to specify exactly what you want to see then it makes the capture files smaller and also means that you do not have to sift through a lot of useless information. The capture filter gets rid of that which you do not need or are not interested in.

The batch file that checks to see if dumpcap is still running

I completely stole the below batch file from this post on stackoverflow and (slightly) re-purposed it for my needs

@ECHO OFF
:B
SET MyProcess=dumpcap.exe
TASKLIST | FINDSTR /I "%MyProcess%"
IF ERRORLEVEL 1 (GOTO :StartScripts) ELSE (END)

:StartScripts
::: //-- Put in the full path to the batch scripts to call
::: //-- Be sure the security context this process runs as has access to execute the below called batch scripts
CALL "C:vrCapturestartCapture.bat"
GOTO :B

I have called this file "dumpcap.bat" and placed it in the same folder as the "startCapture.bat" if you give full paths to the files then you can place them wherever you want. If you do not give full filepaths then the files will need to be located in the same directory.

 

 

 

If you need a new website or your website needs updating go to https://10kinds.tech.

10 Kinds Technology
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram