Introduction to Wireshark Dumpcap
Dumpcap is one of the tools installed as part of the Wireshark suite and is used to capture traffic at the frame level. All data entering or leaving a network interface can be captured into a file or files for later analysis. The captured files can then be opened for inspection by an application such as Wireshark or Network Monitor for review of their Application, TCP, IP and Ethernet headers.
dumpcap is a program that runs in user mode and makes extensive use of existing packet capture libraries. When running in a Linux environment, dumpcap uses a driver and shared libraries called libpcap. The above diagram shows dumpcap in a Windows environment where software called WinPcap is used. WinPcap comprises a driver npf.sys and two DLLs; packet.dll and wcap.dll.
dumpcap takes packets from WinPcap, adds some header information and then writes the resulting record out to disk. The limiting factor here is the speed of the disk. If rate at which packets arrive is greater than the rate they can be written to the disk dumpcap 'drops' packets. dumpcap maintains a drop count and outputs this information when it is terminated. To help accommodate spikes in the rate of the packets arriving, dumpcap has a buffer. Under Windows, the size of the dumpcap buffer can be configured - more on this later. Under Linux there are just two 16 KB buffers that are used alternately.
dumpcap saves files in one of two formats:
- pcap - the original format and compatible with any libpcap tool such as tcpdump
- pcapng - referred to as Next Generation and is now the default format
dumpcap provides an amazing array of file saving options. The most useful for our purposes is the ability to write a sequence of files each of a certain size (and 100MB is typical). What's more we can configure the sequence of files as a ring buffer (note this has nothing to do with the memory buffer described above).
We might configure a ring buffer of 1,000 files of 100MB each to give us a total ring buffer of 100GB. Once dumpcap has written 1,000 files it will begin to overwrite the files starting from the first. This enables us to capture for prolonged periods of time. We just need to be sure that we can stop the capture before the data we need is overwritten.
dumpcap is the capture mechanism that underpins Wireshark capture mode. We will discuss Wireshark later.
How to Use It
Generally, dumpcap is used in one of three configurations, and the following simple diagram shows all three.
We can run dumpcap on the client or server whose traffic we wish to capture. The CPU and memory footprint is very small unless running in 64-bit mode with a very large buffer - more on this later. The main consideration is the trace file; both the volume of the trace data and the rate of file IO is needs to be considered. On a client PC this probably won't be an issue, but it could be on a busy server where a dedicated disk or USB-attached hard drive might be needed. There is no impact on server performance if we underestimate these requirements, but it does increase the probability of dumpcap dropping packets and so producing gaps in our trace files.
Whilst installing dumpcap on PCs and servers doesn't present any particular technical problems, it is often not possible due to governance (such as no ability to run as administrator) and image build controls (such as a tightly locked down desktop). In these cases, using the software on a standalone PC or server is a good alternative (and in fact the way Advance7 collects most of the data it uses). The analyzer is connected to a switch in the path of the traffic and then traffic is mirrored to the analyzer port. This is covered in greater detail in the course topic Capturing network traffic.
The considerations when considering running dumpcap on a client PC or a server are:
- Can be quick to set up
- Often there is either no local storage or limited local storage available for the capture data
- May require dedicated storage so as not to interfere with application or system disk access
- Captures at one point only, may be necessary to set this up on multiple servers
- Server or app support teams may be reluctant as they perceive it to affect performance
- Requires on-going support from the server team
- Transferring the data to a central location for analysis may be difficult due to data center firewalls
When to Use It
dumpcap is the preferred method of capturing for long periods, and is also useful when we need to reliably start and restart captures. It can be used within a batch file which makes it great for scheduling with any sort of cron job or task scheduler.
Creating a batch file for the dumpcap command with all the relevant switches defined allows the capture to be restarted easily and with consistent parameters. The ability to start and restart dumpcap with a consistent set of parameters eliminates dumpcap configuration errors that may not be identified until after a capture has been performed. The batch command can be easily run by anyone and this reduces the overhead of capturing using Wireshark. This means that it can be started by a user or colleague who is perhaps not familiar with network trace tools.
Dumpcap also allows a ring buffer to be defined to ensure that files do not get too big and to ensure that the captures do not consume too much disk space.