Networking/Computing Tips/Tricks

Most users of Wireshark and T-Shark are unaware that neither of these programs alone actually captures packets!  Both programs use a third program called ‘dumpcap’ to do the packet capturing.  Since dumpcap is a program itself, you can use it natively to capture packets and “dump” them into a file.  Some folks have experienced problems with memory issues during large captures on fast interfaces.  Using dumpcap natively may be a way around that problem.  I thought I would provide a brief dumpcap usage article so that you could use the tool natively on your machine.

There are two steps to using dumpcap natively:

  1. Select the network interface you wish to capture
  2. Specify the filename you wish to use for the capture

Selecting the Network Interface

The hard way: You can begin by opening a terminal window, depending on what OS you run. On Windows: Start> Run> cmd.  On a MAC: Launchpad> Other> Terminal.  At this point you will most likely you will have to navigate to the directory where the Wireshark executables were installed.  To get the directory path on your machine regardless of whether it is a MAC or Windows or Linux, open Wireshark, select Help> About Wireshark> then select the Folders Tab.  From there you will see the path in the Programs item.  Once in the proper directory, in Windows run dumpcap.  On a MAC run the dumpcap.bin.

The easy way: Open Wireshark, select Help> About Wireshark> then select the Folders Tab.  From there you will see the path in the Programs item.  Double click the directory path to open up your file navigator and then click on dumpcap if you are Windows, or dumpcap-bin if you are a MAC.

Here is the Windows version:

 Windows dumpcap

 

Here is the MAC version:

Screen Shot 2014-09-02 at 11.05.20 AM

Notice that in both versions, the capture started immediately.  To stop capturing packets, simply type <control-C>.

Great!  But, we have a couple of problems.  What if dumpcap did not start capturing on the appropriate interface?  Also, where can we specify the filename we want dumpcap to use?

So let's see how we can select the network interface.  In a terminal window, enter the following command: 'dumpcap -D':

dumpcap interfaces

You can see that there are 4 interfaces on my system.  Usually the default is to select the first interface in the list.  So if I wanted to capture on my Local Area Network connection I would enter the following command: 'dumpcap -i 2'.  This means capture on interface #2 in the list:

dumpcap int 2

Great!

Specifying the File to Save the Capture To

The next thing we need to know how to do is to specify exactly what file dumpcap will use to store the captured data.  To do this we will use the '-w' command and specify the path and file name we want dumpcap to write the captured data to.  Here is an example combining the specification of the interface with the write command:

dumpcap -i 2 -w c:\testtrace.pcapng

This will create a capture file using the latest .pcapng format to the C:\ drive root directory.  

Note:  If you cannot get the command to execute due to insufficient permission, try running the Windows Command Line as Administrator, or on MAC use the 'sudo' command.

 dumpcap int and dest

Great.  So now if we look at the root directory in my example:

saved pcapng file

 

 We see the testtrace.pcapng file!  This can then be openned in the Wireshark GUI:

testtrace open in wireshark

 

An important option that you may want to consider using when using dumpcap natively is to avoid running out of memory or disk space.  This can be added to your dumpcap command using the '-b' parameter:

dumpcap -i 2 -w c:\testtrace.pcapng -b filesize:65535

In this example we are limiting the file to 64Mbits, but you may choose to do 128Mbits as an alternative.  What dumpcap will do is limit the size of each file to that size and it will automatically create multiple files appending year, month, day, hour, minumte, and second to the filename, so that each file created is unique.  You can then use the merging tools in Wireshark to merge the files back together.

That should be more than enough to get you started with dumpcap natively.  Want to play with some of the other commands? Here is the dumpcap -h output:

dumpcap-h

 

One final tidbit for Windows users.  If you click here, you can download a GUI front end for dumpcap!  Here is what it looks like:

dumpcapui

 

 We hope that helps with understanding dumpcap.  

 

Comments powered by CComment

Find by Tag

4G Networks 5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az Ad-Hoc Addressing Analysis Ansible Apple Architecture ARP Assessment AToM Automation Baseline BGP Bloom's Taxonomy Bluehost BPF Briefings Cable Capture Filter cat CellStream Cellular Central Office Cheat Sheet Chrome Cisco Cloud CMD Company Policy Computer Consulting Data Center Data Networking Dependencies DHCPv6 Display Filter DNS Documentation dumpcap Earth Earthquakes ECMP Ethernet Ethics Etiquette Evaluation Field Operations Five Monkey Rule G-MPLS Gauge GeoIP GNS3 Google GQUIC Hands-On History Home Network ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 India Internet IoT IPv4 IPv6 IRINN IS-IS L2VPN L3VPN LDP LifeNet Linux LLN LoL M-BGP MAC Macro Microsoft Milky Way mininet Monitoring MPLS mtr Multicast Murphy Name Resolution Netcat NetMon netsh Networking nmap NSE Observations OLPC Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX OTT Parrot PIM Policy POTS POTS to Pipes PPP Profile Project Management PW3E QoS QUIC Railroad Remote Desktop Requirements Resume Review RIP Routig Routing RPL RSVP Rural SDN Security Service Provider Small Business SONET Speed SSL Status Storms Subnetting Support SYSCTL T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Testing Tools Traceroute Traffic Engineering Training Travel Tunnel Ubuntu Utility Video Virtualbox Virtualization VoIP VRF VXLAN Wi-Fi Windows Wireless Wireless 5G Wireshark WLAN Writing Zenmap ZigBee

Twitter Feed