How to use Dumpcap to capture a rolling packet trace

  • 7015122
  • 29-May-2014
  • 09-May-2018

Environment

Novell Client 2 SP3 for Windows

Situation

For intermittent problems, it can be impossible to predict when and where the problem may next occur.

Need to gather LAN packet trace information over a long period of time.

Resolution

The Wireshark command line utility called 'dumpcap.exe' can be used to capture LAN traffic over an extended period of time. Wireshark itself can also be used, but dumpcap does not significantly utilize the computer's memory while capturing for long periods of time. By configuring dumpcap to use a ring buffer, you can capture a large number of packets over a long period of time without adversely impacting the performance of the workstation running dumpcap.

Dumpcap can be run on a machine which might experience the problem, or on a second machine. If on a second machine, it is necessary to place the machine running dumpcap in the collision domain of the target workstation. This will require a dumb hub or a visible / mirrored port on a switch.
 
Note: Choose the "Run as Administrator" option when launching the CMD.EXE session which will run Dumpcap.exe.

A typical syntax is:

c:\"Program Files"\Wireshark\dumpcap.exe -i <interface> -s 1518 -w <somename>.cap -b filesize:16384 -b files:256 -f "host xxx.xxx.xxx.xxx"

This command will create a series of 256 files (-b files:), each size 16384 KB (-b size:), with packets truncated at 1518 bytes (-s 1518). The files will follow the naming convention and be located in the path designed after the -w parameter. If you just have one interface, the -i <interface> switch can be omitted. You can see a list of your interfaces (1, 2, 3, etc.) by running dumpcap with the -D parameter. The -f parameter is used only if tracing from a second machine. Substitute the IP address of the machine seeing the problem.

For example:
 
c:\"Program Files"\Wireshark\dumpcap.exe -i 1 -s 1518 -w c:\traces\SR12345678.cap -b filesize:16384 -b files:256 -f "host 192.168.1.1"
 
This command will capture packets on interface 1 (as displayed in "dumpcap.exe -D") and will create a series of 256 files, each of size 16384 KB, with packets truncated at 1518 bytes. The files will follow the naming convention "SR12345678" and be located in the c:\traces directory. The packets will be filtered to include traffic on 192.168.1.1.
 
See dumpcap.html in the Wireshark download package (available from wireshark.org) for additional information about dumpcap and its command line parameters.

Additional Information

See also TID 3892415, "How to use Wireshark to capture a packet trace."