Ask Your Question
0

dumpcap.exe opens already pointing towards a nonexistent file

asked 2024-12-31 14:23:06 +0000

SnowTalker gravatar image

I am attempting to find an apparent IP address conflict that occurs at stochastic intervals. Since I can't predict when this apparent conflict will occur, I was attempting to use the dumpcap.exe to save the captures in managable file sizes. Went on youtube, watched some videos, all good. Did a dry run in my office and everything appeared to be working as expected. Loaded wireshark onto another laptop, took it to the managed switch and plugged it into a mirrored port of the device that was giving the IP Conflict fault. Ran wireshark to make sure that it was gathering the proper data.

It was all good right up till here.

When I attempted to run dumpcap.exe, I got a screen saying something similar to

Capturing on 'Local Area Connection* 10' File: C:\Users**\AppData\Local\Temp\wireshark_Local Area Connection- 10R7P3Z2.pcapng

There is a flashing cursor on the line after but no keyboard input is accepted.

I tried the same with another laptop: Same results. When I went back to my office, I got the same results, ie, a screen showing a similar message to the one above.

So, has anyone else had a similar problem? Am I being obtuse and just doing/not-doing something?

Any help or insights would be appreciated.

edit retag flag offensive close merge delete

Comments

Please share the full command lines and also the output of wireshark -v or copy of Help->About Wireshark:Wireshark tab.

Chuckc gravatar imageChuckc ( 2024-12-31 17:08:02 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-01-01 17:34:28 +0000

André gravatar image

When executing dumpcap without any command line options, this is the expected behaviour.
To quote the online manual:

Without any options set it will use the libpcap, Npcap, or WinPcap library to capture traffic from the first available network interface and writes the received raw packet data, along with the packets' time stamps into a capture file.

Note: this is the same behaviour as for the command tcpdump.

There is a flashing cursor on the line after but no keyboard input is accepted.

That is because dumpcap is not an interactive commnand. To stop the started capture, just send the break signal using Control-C.

For long term capturing using a ring buffer use the command line option -b or --ring-buffer. For example:

 dumpcap -b filesize:102400 -b files:10 -w demo.pcapng -i <interface>
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-12-31 14:23:06 +0000

Seen: 44 times

Last updated: Jan 01