How to Capture Packets Continuously with Wireshark and Dumpcap

Need to know an easy way to capture packets for extended periods of time and save them as small .pcap or .pcapng files?

Well you’re in luck! Not only is it possible, but it’s super easy!

Plus, we can even have the capture overwrite the oldest files so the capture can continue indefinitely, much like a CCTV system would handle recorded video.

The easiest way is to use a tool called Dumpcap which you’ll get when you install Wireshark. I’ll also show you how to do this with Wireshark itself if you’re more comfortable with that and explain the pros and cons.

Continuously Capture Packets to Separate Files with Dumpcap

Dumpcap is a command line tool for dumping network traffic to a file that is installed alongside Wireshark.

Related: How to Install Wireshark on Windows 10

There is a lot that you can accomplish with Dumpcap, which you can read more extensively about here, but I’m only going to cover what most people reading this want to accomplish, and that is:

To capture network traffic continuously and save it to multiple files, so that we have smaller, more easy to open and parse chunks of data, which will overwrite the oldest files so that we don’t eat up a ton a space.

The first thing you need to do is figure out the name of the interfaces on your system that you can capture from. To do this:

  1. Open a command prompt window and change the directory to the wireshark install directory. In my case it’s C:\Program Files\Wireshark so I’ll use the command:
    cd c:\Program Files\Wireshark
  1. Next run the following command to output the interfaces on your system as seen by dumpcap:
    dumpcap -D

    Which will result in an output similar to:

    c:\Program Files\Wireshark>dumpcap -D
    1. \Device\NPF_{29DB0546-511A-4B91-BFE4-7E8E512C9A4A} (Bluetooth Network Connection)
    2. \Device\NPF_{DDDFAF45-DC44-4B19-9359-E2A733B9573A} (Wi-Fi)
    3. \Device\NPF_{BDF87ACA-618D-4C62-91E1-F3C07BA45401} (VMware Network Adapter VMnet0)
    4. \Device\NPF_{CB0805F7-2B4B-450A-8B45-C0CE0D5244A8} (VMware Network Adapter VMnet1)
    5. \Device\NPF_{C7247074-2A8A-409A-990F-B514A56540CA} (Ethernet 2)

Now that we have our interface name, we can use the dumpcap command string to begin dumping packet data to a file which is:

dumpcap.exe -b filesize:10000 -b files:10 -i "Ethernet 2" -w C:\capfilename.pcapng -q

-b filesize:10000 means capture until pcapng file is 10,000kb or ~10MB. You can set this as low or high as you are comfortable with. Smaller files open faster.

-b files:10 means capture up to 10 files before overwriting the oldest file. You can set this as low or high as you are comfortable with. Less files means less space consumed before it begins overwriting the oldest files.

-i “Ethernet2” means use the ethernet adapter with the name “Ethernet 2” which we determined earlier, we could also use the number given to the ethernet adapter when we ran the dumpcap -D command earlier.

-w c:\capfilename.pcapng means prepend each capture file with the word capfilename and save it to c:\ with the extension .pcapng

-q means to not print the number of captured packets to the command prompt window. This is optional, but I see no benefit in watching a continual counter.

So to interpret the command above, I would be capturing roughly 100MB of packet data in 10MB chunks before the ring buffer kicks in and starts overwriting old capture files.

The files will be saved in the .pcapng file format by default. If you prefer .pcap you can use the -P option.

The amount of time that this capture will cover is entirely dependent on how busy your network traffic is. More traffic will mean more data in less time so your capture window will be smaller. I suggest running a small test capture to see how fast you fill up your desired file size to ensure you have a wide enough window within your capture file set.

You can also run the command in PowerShell but you need to prepend the command with a .\ so that PowerShell understands that it is running dumpcap.exe and not trying to run a cmdlet.

 

Continuously Capture Packets to Separate Files with Wireshark

We can also accomplish a similar result to above by using the GUI interface within Wireshark. The caveat being that Wireshark generally consumes more memory over time compared to just running Dumpcap.

  1. Open Wireshark and navigate to Capture -> Options -> Output
  2. Enter a file path and filename to prepend your files, choose your desired output format, check to Create a new file automatically after…, check the box in front of the max file size, and then check to use ring buffer and specify the max number of files before overwriting.
    How to perform continuous Wireshark capture and save to individual files that overwrite to save space.
  3. Click Start to begin the continuous capture and keep an eye on your systems memory usage if you were aggressive in your settings.

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Leave a Reply

Your email address will not be published. Required fields are marked *