• Telecommunications Consulting

    Telecommunications Consulting

    Consulting Services from Network Design to Project Management Read More
  • Internetworking Training Experts

    Internetworking Training Experts

    Click on Training and then Courses. Read More
  • Wireshark Experts

    Wireshark Experts

    Packet analysis expertise is critical in today's networks, and being able to use the best packet analyzer application is a skill we can help you and your team attain. Read More
  • Are you a Network Scientist?

    Are you a Network Scientist?

    Online Learning, Instructor Led in person or Web-based delivery. Check out our online school. Read More
  • Online Certification Training

    Online Certification Training

    Find out about our Network Self Certification Program for Rural Service Providers here! Read More
  • IPv6 Experts

    IPv6 Experts

    Along with other Internet regions, ARIN is out of IPv4 Addresses. Are you IPv6 fluent? Are you IPv6 ready? Read More
  • Enabling the IoT with Wireless

    Enabling the IoT with Wireless

    Without wireless, we cannot have the Internet of Things. Read More
  • MPLS Book for iPad and iPhone

    MPLS Book for iPad and iPhone

    Get Mr. Walding's book here! Read More
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8

Welcome to CellStream, Inc. - Telecom Consulting and Training!

Welcome to our home on the Internet, where we can not only share information, but also interact with each other. If you are a visitor to the site, there are a number of things to view: our FAQ'sNetworking and Computing Tips, our CellStream Blog, and other fun reading can all be found in the drop down menus above.  The Training menu provides access to our courses, our course calendar, and learning services.  The Consulting Menu provides information on our consulting services and a place to meet our consulting and teaching team.  Registered CellStream folks and our clients will log in using their private credentials to access projects, calendars and discussions.

Thanks for visiting! We always welcome comments and suggestions.

Rate this content:
5 of 5 - 1 votes
Thank you for rating this article.

Most users of Wireshark and T-Shark are unaware that neither of these programs alone actually captures packets!  

Both programs use a third program that is distributed with Wireshark and was installed on your (Linux, MAC or Windows) system called ‘dumpcap’ to do the packet capturing.  

Since dumpcap is a program itself, you can use it natively to capture packets and “dump” them into a file.  The dumpcap program is updated along with Wireshark updates.

Why would you use dumpcap?  Here is an example.  Some folks have experienced problems with memory issues during large captures on fast interfaces.  Using dumpcap natively may be a way around that problem.  So some people simply always use dumpcap!  (I have noticed that many of those who do are prior tcpdump users!)

I thought I would provide a brief dumpcap usage article so that you could use the tool natively on your machine.

There are two steps to using dumpcap natively:

  1. Select the network interface you wish to capture
  2. Specify the filename you wish to use for the capture

Selecting the Network Interface

The hard way: You can begin by opening a terminal window, depending on what OS you run. On Windows: Start> Run> cmd.  On a MAC: Launchpad> Other> Terminal.  At this point you will most likely you will have to navigate to the directory where the Wireshark executables were installed.  To get the directory path on your machine regardless of whether it is a MAC or Windows or Linux, open Wireshark, select Help> About Wireshark> then select the Folders Tab.  From there you will see the path in the Programs item.  Once in the proper directory, in Windows run dumpcap.  On a MAC run the dumpcap.bin.

The easy way: Open Wireshark, select Help> About Wireshark> then select the Folders Tab.  From there you will see the path in the Programs item.  Double click the directory path to open up your file navigator and then click on dumpcap if you are Windows, or dumpcap-bin if you are a MAC.

Here is the (now old) Windows version:

 Windows dumpcap


Here is the (now old) MAC version:

Screen Shot 2014-09-02 at 11.05.20 AM

Here is the latest version on Windows:

2019 05 26 7 26 25

In either case, notice that in both versions, the capture started immediately.  To stop capturing packets, simply type <control-C>.

Great!  But, we have a couple of problems.  What if dumpcap did not start capturing on the appropriate interface?  Also, where can we specify the filename we want dumpcap to use?

So let's see how we can select the network interface.  In a terminal window, enter the following command:

dumpcap -D

2019 05 26 7 31 34

You can see that there are 7 interfaces on my system.  Usually the default is to select the first interface in the list.  So if I wanted to capture on my Wi-Fi Network connection I would enter the following command:

dumpcap -i 7

This means capture on interface #7 in the list:

2019 05 26 7 34 31

Note: My Wi-Fi was not connected, so I received no packets.


Specifying the File to Save the Capture To

The next thing we need to know how to do is to specify exactly what file dumpcap will use to store the captured data.  To do this we will use the '-w' command and specify the path and file name we want dumpcap to write the captured data to.  Here is an example combining the specification of the interface with the write command:

dumpcap -i 1 -w c:\testtrace.pcapng

This will create a capture file using the latest .pcapng format to the C:\ drive root directory.  

Note:  If you cannot get the command to execute due to insufficient permission, try running the Windows Command Line as Administrator, or on MAC/Linux use the 'sudo' command.

2019 05 26 7 39 09

Great.  So now if we look at the root directory in my example:

2019 05 26 7 40 54


 We see the testtrace.pcapng file!  This can then be openned in the Wireshark GUI:

2019 05 26 7 45 05


An important option that you may want to consider using when using dumpcap natively is to avoid running out of memory or disk space.  This can be added to your dumpcap command using the '-b' parameter:

dumpcap -i 2 -w c:\testtrace.pcapng -b filesize:65535

In this example we are limiting the file to 64Mbits, but you may choose to do 128Mbits as an alternative.  What dumpcap will do is limit the size of each file to that size and it will automatically create multiple files appending year, month, day, hour, minumte, and second to the filename, so that each file created is unique.  

In this example, I have limited the filesize to 1024 bytes (way to small) to illustrate:

2019 05 26 7 50 22

You can see that dumpcap has started to capture into multiple files using 'testtrace' as the filename seed.

Now here is another cool thing that Wireshark GUI does.  Let's open one of the testtrace files:

2019 05 26 7 54 04

I can now use File> File Set> List Files or Next File to navigate through the multiple files.  This makes managing this file list much easier.

2019 05 26 7 55 44

You can then use the merging tools in Wireshark to merge the files back together.

New Stuff in Wireshark 3.x

Since Wireshark 3.x, there have been a couple of enhancements to dumpcap.  The -a parameter defines an autostop condition and the -b parameter calls the ring buffer feature.  Although dumpcap has always supported these parameters, it didn’t support the packets option. Previously, you could only define autostop or ring buffer conditions based on duration, file size, or number of files.  So let's look at an example:

dumpcap -i 7 -a packets:250 -b packets:50 -w c:\testtrace2.pcapng

The command above is read as:

  • -i 7 capture on interface number 7
  • -a packets:250 stop after capturing a total of 250 packets
  • -b packets:50 capture 50 packets per file in a ring buffer set of files
  • -w c:\testtrace2.pcapng write to a file set that begins with testtrace2

Here is what my system did (I preceded the command above with the dumpacp -D command:

2021 02 28 10 04 44

You can see this works just like a ring buffer without all the overhead of running the Wireshark GUI.

That should be more than enough to get you started with dumpcap natively.  Want to play with some of the other commands? Here is the output:

 dumpcap -h

2019 05 26 7 58 34


One final tidbit for Windows users.  If you click here, you can download a GUI front end for dumpcap!  Here is what it looks like:



 We hope that helps with understanding dumpcap.  

I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!


Comments powered by CComment

Our Latest Content

  • Monitor Mode in Windows At Last

    Say it isn't true! For the first time in the world (for me) I can put a Wi-Fi interface on

    Read More
  • What does the BGP Next-Hop-Self Command Actually do?

    I got this question the other day: "What does the BGP Next-Hop-Self command actually do?" It is a great question

    Read More
  • Cool Bandwidth Monitoring in Linux

    This article will discuss how to use some cool bandwidth monitoring tools in Linux so that you have a screen

    Read More
  • Modifying the Wireshark Window Title

    Did you know that you can customize the Wireshark window title?  The first time I ran across this was when

    Read More
  • Seven Awesome Linux Terminal Utilities for Everyone

    If you are a Linux user, you know how important the Terminal is to your compute world.  Now there are

    Read More
  • 1
  • 2
  • 3
  • 4

Our Most Popular Articles

  • What is the 'arp' command, and how can I use it?

    Let's answer the question, but before I do, you can watch my ARP lesson on Youtube here: https://youtu.be/aD_caJxD7nY and look at the

    Read More
  • A Great Toolkit for Presenters - Zoomit!

    ZoomIt is a utility for the public speaker in all of us. When presenting information, sometimes it is helpful to

    Read More
  • 3 Ways to put your Wi-Fi Interface in Monitor Mode in Linux

    Check out these great references as well:   Our Wireless custom profile for Wireshark  Our Udemy course on Wireless Packet capture

    Read More
  • Neighbor Discovery (ND) Table in IPv6 Windows, Linux and MAC Machines

    Check out these additional IPv6 Resources: Our IPv6 overview course at Udemy Our IPv6 Custom Profiles for Wireshark Our IPv6

    Read More
  • T-Shark Usage Examples

    Check out these great references as well:   Our custom profiles repository for Wireshark  Our Udemy course on Wireshark   Our Udemy

    Read More
  • 1
  • 2
  • 3
  • 4

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Subscribe to our Newsletter!

Subscribe to our newsletter to learn about upcoming classes, new networking how to's and much more.

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP AToM Backup Bandwidth BGP Biography Bloom's Taxonomy CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation dumpcap ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation G-MPLS Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Linux LLN Logging LoL M-BGP MAC Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netcat Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed