Wireshark is amazing tool for any network nerd. It brings a simple way to visualize a flow of tons of packets in and out from network interface. But what if we need a simple command line way to interact to Wireshark functionality just using a Linux terminal or IoT simple device. Installing and configuring Wireshark would be a overkill. Fortunately, base installation contains a number of tools which make our life as network administrator or security engineer easy while analyzing a network traffic. And Wireshark dumpcap is one of them, created to interact with network traffic using command line interface (CLI) in automated way.
Dumpcap is a CLI tool, lets you capture packet data from a live network and write the packets to a file. The dumpcap tool allows a network analyst to integrate a packet capture logic anywhere he want. Like, smart device sending information from edge location to central hub or monitoring and alerting system, which may start capture of suspicious network traffic if EDR detects malicious activity and so on.
To start with dumpcap, you have to install Wireshark first. I have got a latest windows installer from here, it might be easy installed on Linux and Mac OS as well. After installation succeeded, go to root Wireshark root folder, for me this is “c:\Program Files\Wireshark”:
To learn mor about dumpcap just type -h. It returns a tons of configuration, like capture buffer options, interface, capture filtering, snapshots and more and more interesting stuff. I would like to show you only a few awersom features there.
1. First, -D list of interface available in a system:
2. Use -i <interface-number> to select interface
3. -w to write dump to specific location on hard drive:
4. So, what if a traffic going throw an interface is a very intensive. We do not want to dig throw a gigabytes of captured data just to find a one single packet by timestamp. To make thing easy, use perfect switch called -b, configure a ring buffer to split a entire dump to a smaller piaces:
dumpcap.exe -i 5 -w c:\Dump\dump.pcap -b filesize:1000 -b files:5
It will create a maximum 5 files in maximum size of 10 * 1kb = 1kb and the 6th file will override the first one.
As, you can see dumpcap was creating a new dump_0000<x>_<timestamp>.pcap each 1mb of data captured. And only 5 file were created in Dump folder. Perfect!
In this small article I showed you a simple way how to automate network traffic capture this Wireshark dumcap CLI tool.
If you like a post please click a link below and subscribe to my blog.
Be an ethical, save your privacy!