Wireshark-users: Re: [Wireshark-users] remote capture framework
From: Phil Paradis <Phil.Paradis@xxxxxxxxxxxxxx>
Date: Thu, 13 May 2010 16:54:34 -0700
We have a very similar setup; we use SrvAny.exe from the Windows Resource Kit to run dumpcap as a service. The parameters are configured to capture to a ring buffer of a fixed maximum size, and we run the capture continuously; when something of interest happens, we just go and grab the files after hours.

Two caveats:

1. If the capture runs for a long period of time on Windows the timestamps will drift. If you stop the capture and restart the NPF service periodically, the drift doesn't get too far out of hand. We restart the capture every day in the early morning. If you need better accuracy and can live with a loss of precision, there is a registry setting that changes how timestamps are calculated; this fixes the drift, but reduces the precision to 10ms resolution in place of the default sub-millisecond resolution. (I'd have to look up the details; it's been a while since I last looked into this.)

2. When the capture is stopped and restarted (either by restarting the dumpcap process or rebooting the box) the existing ring buffer is orphaned on the disk and a new buffer started. We just run a script every day, right after the capture restart, to clean up old files (based on the modified date of the file) so the disk doesn't fill up. 

If you're running on Linux, you can just create an init script to start dumpcap at boot. I'm not sure about the timestamp issue; all of our capture boxes are Windows-based, so I've never really played with a long-running capture on Linux. (IIRC, the issue on Windows is related to the win32 time APIs, so I suspect Linux doesn't have the same issue.) You'd probably need a cron job to clean up the orphaned buffer files from system reboots though.

--
Phillip R. Paradis | Network Engineer | United Tote | 2724 River Green Circle | Louisville | KY | Phone: +1 (502) 509-7445


> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-
> bounces@xxxxxxxxxxxxx] On Behalf Of Morty
> Sent: Thursday, May 13, 2010 5:58 PM
> To: wireshark-users@xxxxxxxxxxxxx
> Subject: [Wireshark-users] remote capture framework
> 
> I have a whole bunch of hosts at various WAN sites that are used for
> remote captures.  Right now, people log in to them remotely and kick
> off tcpdump or wireshark on the host itself.  I'd like to get away
> from that.  I'm willing to develop something myself, but prefer to not
> reinvent the wheel.  rpcap looks like a step in the right direction.
> But it seems to be a streaming solution, which is bad over a WAN; it
> doesn't seem to have a mechanism to centrally list many supported
> devices; and it doesn't seem very cross-platform.  Is rpcap more
> capable than I am seeing?  Is there a different (free) option?
> 
> Thanks.
> 
> - Morty
> _______________________________________________________________________
> ____
> Sent via:    Wireshark-users mailing list <wireshark-
> users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-
> request@xxxxxxxxxxxxx?subject=unsubscribe