dumpcap is a command-line utility installed together with Wireshark, found in the same directory. It is designed to capture traffic from PC network interfaces and write capture files to disk. Wireshark itself does not perform the traffic capture operation — that is done by dumpcap. All Wireshark does is launch the dumpcap utility, then read the continuously growing capture file and display packets from it with all the additional functionality.
Using dumpcap is fairly straightforward. The main challenge is that it is a command-line utility and you need to learn a few commands.
You can verify dumpcap is working as follows:
- open the command prompt (Win+R);
- navigate to the Wireshark directory:
cd \program files\wireshark - enter the command
dumpcap
After these steps, network traffic capture will begin. It will start on one of the available interfaces (the first one the utility finds) and write to an arbitrary file. But we can extend the command with settings that allow us to capture from the specific interface (or even multiple interfaces — yes, yes!) we need; set the name and location of the file to write to; configure a ring buffer; set capture filters and more. Before proceeding with these settings, stop the running capture with CTRL+C (this is how you stop the capture going forward as well).
Selecting a Capture Interface
First, you need to understand which interfaces are available to dumpcap. Use the following command:
dumpcap -D
The result is a numbered list of interfaces.
To select an interface, call dumpcap with the '-i' parameter, specifying the interface number, for example:
dumpcap -i 5
Traffic capture from interface #5 will begin.
Setting the Capture File Name and Location
To set the capture file name and location, call dumpcap with the '-w' parameter, specifying the file path and name, for example:
dumpcap -i 5 -w C:\Users\gav\Documents\test.pcapng
Setting the Capture File Size
So that we can later successfully (without freezing or slowdowns) open the capture file in Wireshark for analysis, we can make the capture data save in files of a specific size. When the specified size is reached, the file is saved and a new file is created for continued capture. The file number, as well as the year, month, day, hours, minutes and seconds of capture start are appended to the filename. For example, we can call dumpcap with:
dumpcap -i 5 -w C:\Users\gav\Documents\test.pcapng -b filesize:50000
This means capture files will be no larger than 50 MB.
Configuring the Ring Buffer
If traffic recording is planned over a fairly long period of time and free disk space is limited, it makes sense to have dumpcap overwrite old files with new ones. Say you have 1 GB of free space. With each file at 50 MB, we get: 1*1024/50 = 20 files — that's how many files we can store. In this case we should call dumpcap with:
dumpcap -i 5 -w C:\Users\gav\Documents\test.pcapng -b filesize:50000 -b files:20
Setting a Capture Filter
You can apply a capture filter using BPF syntax. Call dumpcap with:
dumpcap -i 5 -f "ether proto 0x88ba or (vlan and ether proto 0x88ba)" -w C:\Users\gav\Documents\test.pcapng -b filesize:50000 -b files:20
The filter expression (capturing Sampled Values frames) is in quotes because it contains spaces.
Capturing from Multiple Interfaces
As mentioned above, dumpcap can capture from multiple interfaces. Simply specify an additional interface and use the '-t' parameter to use a separate thread per interface for load balancing:
dumpcap -t -i 5 -i 1 -w C:\Users\gav\Documents\test.pcapng -b filesize:50000 -b files:20
Result
With this knowledge, you can perform long-term traffic captures without the risk of losing data or ending up with a frozen PC!