Saturday, February 20, 2010

Scheduled network capture on Windows using Wireshark (tshark.exe)

A customer had an iSCSI issue and was required to capture network packets at a specific time on a Windows 2008 server.

I came up with simple method using Wireshark's tshark.exe and Windows scheduler "AT".


type c:\capture.bat
rem Capture WireShark example
rem Andy Paton
rem WTL
rem use AT to run batch
rem example at 01:50 cmd /c c:\capture.bat

rem debug at issues
rem example at 09:50 /interactive cmd /k c:\capture.bat

rem -a duration:1200 in seconds
rem -B Buffer Size - default is 1Mb
rem -i Interface number - use "tshark.exe -D" to list interface numbers
rem -n don't resolve IP addresses
rem -q Quiet output
rem -w output file
rem capture filter "host "

c:\"Program Files"\Wireshark\tshark -a duration:1200 -B 2 -i 4 -n -q -w c:\network.out host


Steve said...

This rocks! Thank you very much for posting.

Sajid1975 said...

-w "c:\software\network_"_%date:~-4,4%%date:~-7,2%%date:~-10,2%_%time:~-11,2%h%time:~-8,2%.pcap

to add the date and time to output file