Revision history [back]

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller and the capture filter to be applied. (Ex. port==53 for DNS captures)
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, and perform the installation according to the instructions link text.

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng ) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller and the capture filter to be applied. (Ex. port==53 for DNS captures)
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, [executable of Wireshark], and perform the installation according to the instructions link text. (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng ) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller and the capture filter to be applied. (Ex. port==53 for DNS captures)
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the [executable of Wireshark], executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng ) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller controller/device and the capture filter to be applied. applied if possible. (Ex. port==53 for DNS captures) captures) Running a non-filtered capture may increase the amount of the storage needed.
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng ) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller/device and the capture filter to be applied if possible. (Ex. port==53 for DNS captures) Running a non-filtered capture may increase the amount of the storage needed.
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng ) Yourtracefile.pcapng) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller/device and the capture filter to be applied if possible. (Ex. port==53 for DNS captures) Running a non-filtered capture may increase the amount of the storage needed.
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng) look into the tshark manual pages for more details. You may add -a duration:timeinseconds duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.