Can I make wireshark immediately start capturing on a newly connected interface?

asked 2022-09-10 08:04:52 +0000

anon1398591551858
1 ●1

updated 2022-09-13 05:36:11 +0000

Guy Harris
19890 ●3 ●654 ●207

My system is uploading something to someone 2 minutes straight upon startup.

I want to track the start of it.

I'm already running a bat on startup, that starts tracking all interfaces immediatly.

"C:\Program Files\Wireshark\wireshark" -i 1 -i 2 -i 3 -i 4 -i 5 -k

Problem is that wireshark takes some time to start.

My next thought was to disconnect the cable or deactivate the adapter in the settings for the interface, then start tracking upon connecting it.

Is there a way to start wireshark quickly to capture everything send and received from startup?

Or is there a way to connect the interface after wireshark is running and then start tracking as soon as possible?

Also wireshark seems to terminate immediatly if the interface number doesn't exist, and newly connected interfaces don't appear on the back of

wireshark -D

but instead in the possition they would be in later. So I can't just spam wireshark -i 5 -k to track the interface relatively quickly.

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2022-09-13 05:46:03 +0000

Guy Harris
19890 ●3 ●654 ●207

No. Wireshark doesn't support that.

On Windows, it would require, at minimum, that Wireshark be notified of the appearance of new interfaces, and it currently has no code to do that atop whatever mechanism Windows or Npcap provide to do that.

Npcap currently doesn't provide such a mechanism, although it might be possible for it to do so if it gets notified that it has been bound to a new interface.

That alone, however, might not be sufficient, as Wireshark would then have to open the interface after it's notified that it has appeared, but that won't capture any traffic that arrived before the open completed.

So starting a capture on an interface the instant it appears is not supported, and it might be difficult for Npcap to support it.

@grahamb's suggestion to try capturing externally, if possible, is probably the best suggestion.

Also wireshark seems to terminate immediatly if the interface number doesn't exist

If you try to capture on an interface that doesn't exist, there's nothing for Wireshark to open, so it can't do anything other than say "that interface doesn't exist" and quit.

and newly connected interfaces don't appear on the back of
wireshark -D
but instead in the possition they would be in later.

libpcap/Npcap sort interfaces in order to try to put the interfaces most likely to be captured on first. (The implementation of that on Windows is not ideal, and needs work, but that still means that new interfaces will not be guaranteed to appear at the end of the list.)

edit flag offensive delete link

Comments

If you try to capture on an interface that doesn't exist, there's nothing for Wireshark to open, so it can't do anything other than say "that interface doesn't exist" and quit.

Sorry, yeah that makes sense, but also if you specify 5 interfaces, and 1 doesn't exist, the whole thing terminates.

anon1398591551858 ( 2022-09-13 08:49:10 +0000 )edit

add a comment

answered 2022-09-12 08:21:48 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23820 ●4 ●966 ●227 https://www.wireshark.org

Consider capturing externally, i.e. use a switch that has a mirror or span mode and the capture can be started on the mirror port before the target machine is started.

edit flag offensive delete link

add a comment