This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing packets from pc startup

0

Is there any way I can capture all packets from my ethernet network adapter from the point where my desktop is first displayed? The reason being my pc hangs upon windows startup, for a good minute or more... I have noticed using procmon.exe that although it seems nothing is happening, procmon.exe reports svchost.exe is looking at almost every file on my computer. then after a while, this 'hang' status disappears and my startup items, as listed in msconfig then start up. Therefore, putting wireshark into my startup programs will not serve the purpose because I want to see what traffic is taking place during this apparent 'hang' at startup. I have run a full virus scan with kaspersky pure and no treats appear. Any suggestions most welcome and thank you in advance.

asked 19 Sep '10, 15:49

Stezzer4298's gravatar image

Stezzer4298
1112
accept rate: 0%

edited 26 Sep '10, 01:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


2 Answers:

3

Wireshark, just like any other packet capturing software, can only be started after the PC has been started up. You need to use a second PC to capture the packets of the PC whose network traffic of the boot-process you want to capture. You can either use a (real) hub to duplicate the packets, a switch with mirror capabilities, a network tap or create a machine-in-the-middle machine.

These options are explained on the wireshark wiki:

answered 20 Sep '10, 00:23

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you SynBit for your explanation with reference link, I really appreciate your help and will give this a try.

(24 Sep '10, 09:56) Stezzer4298

0

If someone with rights to install a service, I'd suggest using the AutoExNT utility as supplied from the resource kits, and running dumpcap from the associated BAT file. This link provides instructions for an out-of-date OS, but they work on xp & windows 7.

http://support.microsoft.com/kb/243486

answered 20 Jul '12, 13:27

kcullimo's gravatar image

kcullimo
1
accept rate: 0%