I have Wireshark installed on a Windows Server 2012 R2 box. I'd like for it to capture traffic all the time. Is there a way to have Wireshark automatically start capturing when the server boots...even if nobody logs in? Also, is there a way to define the size of the capture files, and automatically purge older files?
You can use the Windows netsh trace command to start a capture at boot time and then subsequently stop the capture and convert it from an ETL to a pcap file for viewing with Wireshark.
Getting the correct options for "netsh trace" isn't easy, check the documentation here.
Capturing boot time traffic is often easier if done off the target machine, e.g. with a port mirror or span on the switch or an in-line tap.
There is no way to do this on the server while booting as the Wireshark application can only run once the server is fully functional. The closest you will get to this, is to do a port mirror (port span) on the network interface to a seperate PC on which Wireshark runs all the time. You will then be able to capture the ARPs, broadcasts, DHCP, LLDP or CDP etc packets. This capture will unfortunately NOT show anything about the Windows boot process.
Asked: 2018-03-02 14:46:00 +0000
Seen: 881 times
Last updated: Dec 03
