It is not easy to capture the right packets at the right time. So, in many cases, it is better to capture all of the packets all of the time and just look at those that were going across the wire at the time of the problem.

One of the great features of the Wireshark install is that we can setup up a capture to write packets out to the harddrive and create multiple files over a very long period of time. The following details the steps for setting up this capture. This article talks about Dumpcap which was released as part of version 0.99. If you are running an older version of Wireshark, you can replace dumpcap with tshark, or better yet, download the latest code. The advantage of dumpcap is that is uses few resources on the OS. Tshark actually calls dumpcap where you are capturing to disk.

1. Install Wireshark, if you haven’t installed it already.
2. Go to the command prompt and change directories to the Wireshark program directory, typically c:\program files\wireshark
3. Run dumpcap -D - Be sure to use a capital D, this is different than a lower case d. This will show you a list of capture interfaces on your computer. Note the number to the left of the one you want to use for your capture.
4. Enter the following command: dumpcap -i <interface number> -b files:50 -b filesize:50000 -w capture.pcap

This command will capture on the interface you specified and create 50 files each 50 megabytes in size. Each one of these capture files will start with the work capture and end with the extension .pcap. Once the 50th file has been filled, it will overwrite the first file. A “ring buffer” of 2.5 gigabytes of data will be stored on the harddrive. If you have more harddisk space available, you can increase the number of files to any number. I would recommend keeping the filesize to 50 megabytes or less. This reduces the time it takes to open the trace file in Wireshark.

Each of the file names will have the time and date stamp of the time at which the file was captured. When a problem does occur, just save the files around the time of the problem. If you get stuck analyzing the problem, don’t forget we are here to help you out. Just contact us about our remote trace file analysis services. We can connect into your analyzer and work together to get the problem diagnosed quickly.

Happy troubleshooting!

Filed under: Tips | Date created: 05.09.2008 | RSS 2.0