Wireshark a long time to grab a packet of multiple files

Objective

To say the origin of this problem, generally use wireshark do not need to grab the package for a long time, but sometimes encountered a very difficult network communication problems, such as a one-hour occurrence of one or several hours of a problem, in this case, it must be a long time to grasp the package. But if you wait a few hours after you start grabbing a packet in Wireshark, it's going to be a problem, because the content of the grab bag is stored in memory for a few hours, especially if it involves a lot of audio and video packets, a few hours may reach a few g of the size, In this case, the Wireshark memory overflow, the program is directly abnormal.

This is the time to use the automatic file storage feature provided by Wireshark.

Setup via the Wireshark interface

Can be set in Wireshark interface and then open the capture process, this time Wireshark will automatically according to our designated file name and add the sequence number and time to save each file segment, the process is as follows:

Choose Capture-interfaces ... Open the Network Interface dialog box

Select the network device to which you want to grab the packet, and click the Options button after the entry

In this dialog, you can set the data captured using multiple file stores, and Wireshark automatically assigns the file name of each segment according to the file name we specify, with the name "specified filename _ ordinal _ datetime." Extension, and the dialog box allows you to set conditions for various file segments. And the condition of stopping the clutch, very flexible.

It is convenient to set up multiple file saving data in this way, but there is a problem as follows:

After a long period of time to catch the packet, there will be multiple "Closing file!" dialog box, each dialog box above the taskbar will have a wireshark icon, the longer the capture time, the more file segments the more the dialog box will eventually fill the entire taskbar. And you can only right-click on the Wireshark icon on the taskbar by mouse. Google search found that this is a bug wireshark, there is no good solution. Therefore, it is recommended to use the command line for a long time to grab packets.

Dumpcap.exe with command line tools

After the Wireshark is installed, In its installation directory there will be a dumpcap.exe command-line tool, in fact, Wireshark interface program is also using this command-line tool to work, we can not use the interface, and directly use the command line tool to grab the package, the command is as follows:

The meaning of the command is explained as follows:
Dumpcap.exe-i \device\npf_{845f9d1e-8f0b-4991-9f9a-c55d107a046b}-W d:\000\ddd.pcap-b filesize:50000

Dumpcap.exe can be seen in the installation root directory of Wrieshark, where:

-I specifies the network card device that is captured, specified here is the identity of the network card device, is a string that can be viewed in the Wireshark interface program, as follows:

-W means the saved path and file name, and if the file is saved, it is automatically named Ddd_00001_20151221213115.pcap, which is the "filename_ ordinal _ time."

-B filesize:n Specifies that the size of each file is nkb, as above 50000 means 50000 KB, which is 50M.

It is recommended to use the command line to catch a packet for a long time without any problems.

Grab a package from a tcpdump version of Windows

By Dumpcap.exe the command line to grasp the package, you can solve the problem raised at the beginning of the article, but dumpcap.exe the tool only after the installation of Wireshark, the program is also dependent on the operation of the Wireshark installation directory of other DLLs, if you do not want to install Wireshark So cumbersome, you can choose to use tcpdump version of Windows, only one EXE program no other dependencies, Tcpdump.exe is not part of Wireshark, need to download separately, tcpdump version of Windows

A list of all network devices can be listed by the TCPDUMP–D command, noting that the network device identity in this list is slightly different from the device ID that we copied in the Wireshark device properties, and the device identity that is copied in Wireshark has a npf_ prefix. Because Wireshark installs the NPF driver, this is not the same, so the Wireshark command line tool Dumpcap.exe uses the network device identity as seen in Wireshark, and here Tcpdump.exe uses the network device identity to The tcpdump-d command is listed as prevail.

We can draw a list of network devices by tcpdump–d the description information that follows each item, compared with the description of the network connection we are currently using, we can draw the device ID of the network connection we need to capture.

Command Description:
Tcpdump.exe-i \device\{89515393-ac8f-4d23-9a03-af35f9950e72}-W E:\000\test.pcap-C 2

-I specifies the identity of the network device to capture.
-W Specifies the saved files, and if the segments are automatically saved as Test.pcap, Test.pcap1, TEST.PCAP2, and so on, these files can be dragged directly to the Wireshark open.
-C note here is the upper case, which indicates the size of each fragment file, in M, where the-C 2 represents a 2M file.

Wireshark a long time to grab a packet of multiple files