Ask Your Question
0

Does running Wireshark on a Domain Controller degrade performance of the DC?

asked 2019-06-18 00:19:05 +0000

Van gravatar image

We are trying to run the tool to capture the traffic on our new Windows 2016 Core edition Domain Controller.

  1. How can I install on a core edition of windows?
  2. Running the tool degrades of affects the DC in anyway?

Thank you.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-06-19 12:54:13 +0000

xinxolHH gravatar image

updated 2019-06-19 13:03:37 +0000

In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller/device and the capture filter to be applied if possible. (Ex. port==53 for DNS captures) Running a non-filtered capture may increase the amount of the storage needed.
I assume you are willing to do a capture on the server, and not close to the server with an additional device.

1) You just need to download the executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).

2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture. You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.

Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.

edit flag offensive delete link more

Comments

Thank you xinxolHH. Much appreciated.

Van gravatar imageVan ( 2019-06-25 02:12:04 +0000 )edit

Better yet, don't use Wireshark or tshark. Use dumpcap, which is the best tool to do that (and is called by Wireshark and tshark for captures, anyway)

Jasper gravatar imageJasper ( 2019-06-25 06:18:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-06-18 00:19:05 +0000

Seen: 151 times

Last updated: Jun 25