Long-term Capture with Dumpcap

Using dumpcap with a ring buffer allows continuous capture for days, weeks or months.

Before we can define the dumpcap command we need to know the interface number for the traffic we need to capture.   To list the interfaces available use:

dumpcap -D

NB:  You may need to check that the Wireshark directory is specified in the search path for the shell (Cmd on Windows).

To start the capture use: 

dumpcap -i <n> -b filesize:200000 -b files:8000 -B <Buffer space in MB> -w <path to capturefiles>\<fileprefix>

the options specified are:

  •  -i - the capture interface number - use dumpcap -D to find the number
  • -b filesize:200000 - create pcap files of 200 MBytes maximum each (appropriate for 64-bit Windows)
  • -b files:8000 - create a ring buffer of 8,000 pcap files i.e. total of 1.6 TB
  • -B - Buffer space in MB (Windows only) - our preferred value is 50 for 32-bit, 1024 for 64-bit. The default is 1 MB
  • -w - where to save the pcap files 

The -B option has a big impact on packet drops on high speed bursty links, although bear in mind that it won't avoid packet loss if a high data rate is sustained for long periods.  Whilst a setting of 1024 MB (1 GB) might be appropriate on a standalone capture unit, you would probably want to reduce this if you use dumpcap on a production server or PC depending on physical memory and virtual memory configuration.

It's a good idea to define the dumpcap command in a Windows .bat or Linux script file so that it can be repeatedly started with consistent parameters.

Last modified: Wednesday, 26 August 2015, 8:06 AM