Ask Your Question
0

Is there a way for wireshark to start upon computer startup?

asked 2022-05-11 15:57:31 +0000

sharkwiremane gravatar image

Just want to have wireshark start as soon as I turn my computer on? I am wanting to start capturing packets from the ethernet port as soon as the computer is started up.

edit retag flag offensive close merge delete

Comments

What Operating System?

Jaap gravatar imageJaap ( 2022-05-11 17:53:33 +0000 )edit

Windows Operating System

sharkwiremane gravatar imagesharkwiremane ( 2022-05-11 20:30:01 +0000 )edit

What packets are you interested in? As I indicated in my comment on Bob Jones's answer, Windows may send and receive packets before it's even ready to run Wireshark, so even if it could start up Wireshark at some point during startup, you wouldn't get all the packets.

Guy Harris gravatar imageGuy Harris ( 2022-05-15 19:38:48 +0000 )edit

Well the ethernet port mirrors a port on the switch and need it to capture, problem is I need computer to reboot from time to time for Windows updates, because it is a dedicated system.

sharkwiremane gravatar imagesharkwiremane ( 2022-05-16 14:40:04 +0000 )edit

3 Answers

Sort by » oldest newest most voted
0

answered 2022-05-21 12:36:18 +0000

JasMan gravatar image

When I need to do a long-term capture on a Windows client (e.g. to capture a unregulary issue), I'm using dumpcap and the Windows schedule tasks to perform it.

Trigger: At computer startup Command: "C:\Program Files\Wireshark\dumpcap.exe" Arguments: -i "[NAME OF LAN ADAPTER]" -f "[CAPTURE FILTER IF NEEDED]" -w "C:\Temp\%COMPUTERNAME%.pcap" -b filesize:100000 -b files:500

This will run a loop capture with max. 500 files of 100 MB each in size.

edit flag offensive delete link more
0

answered 2022-05-20 19:03:42 +0000

André gravatar image

As already mentioned, the best way to capture network activity during a (re)boot is from outside the computer, using a tap (or monitor port). And when using dumpcap you will miss some initial packets.

But windows has a build in capturing mechanism: netsh trace. When used with the 'persistent' option it will "survive" a reboot. Then the first captured frame after a reboot is the Window's initial DHCP request (or ARP if you don't use DHCP).

The netsh trace command is:

netsh trace start persistent=yes capture=yes maxSize=0 fileMode=single report=disabled tracefile=c:\temp\nettrace-boot.etl

Stop with:

netsh trace stop

The ETL file can be converted into a PCAPNG using etl2pcapng on GitHub.

edit flag offensive delete link more
0

answered 2022-05-12 18:33:02 +0000

Bob Jones gravatar image

updated 2022-05-16 20:37:35 +0000

Edit: per the comment, since this PC is the destination of a mirror port, capturing on boot is a reasonable requirement. However, using Wireshark is probably the wrong tool for this - check out dumpcap (see https://packetlife.net/blog/2011/mar/...) for the discussion.

The issue of startup was discussed here some time ago: https://osqa-ask.wireshark.org/questi...

edit flag offensive delete link more

Comments

There may be packets sent and received by code in Windows that runs before Windows is even ready to start programs such as Wireshark, so Bob Jones's advice to do your capture with another machine is probably the best solution.

Guy Harris gravatar imageGuy Harris ( 2022-05-15 19:37:43 +0000 )edit

Amen to that.If you are looking for odd things in your system at boot time it is time to get your ethernet ninja star

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-05-16 07:42:03 +0000 )edit

Yeah i understand, just the organization I am doing this for is just hellbent on using wireshark and not wanting to alternate, but thanks for the advice.

sharkwiremane gravatar imagesharkwiremane ( 2022-05-17 19:53:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-05-11 15:57:31 +0000

Seen: 5,531 times

Last updated: May 21 '22