I need to diagnose traffic across Cisco’s Anyconnect Management Tunnel (mgmttun) VPN profile on Windows devices. Anyconnect mgmttun profile starts automatically as Windows boots up and the network interface opens, prior to a user logging on. This means Windows as a valid network interface open at user login. It also supports the use case of managing a remote user device when no user is logged on.
I followed some good advice from other network pros on www. I use Windows Task Scheduler to start dumpcap at Windows Startup, once a network interface is available. I specify the interface of the Cisco AC virtual NIC. That process seems to work ok and some logs are created.
The issue I need some help on is that I’d like to continue the capture as the user is logging in. When Cisco AC detects that the user VPN profile is starting AC terminates the mgmttun VPN so the user VPN can start. That means there’s a gap of 10 to 20 seconds between the mgmttun ending and the user VPN starting.
dumpcap terminates the capture as the mgmttun VPN ends, and I don’t have enough knowledge of Wireshark or dumpcap to know how to instantiate a capture to start capturing on the new user VPN interface.
Any help Or suggestions is greatly appreciated
