Just want to have wireshark start as soon as I turn my computer on? I am wanting to start capturing packets from the ethernet port as soon as the computer is started up.
When I need to do a long-term capture on a Windows client (e.g. to capture a unregulary issue), I'm using dumpcap and the Windows schedule tasks to perform it.
Trigger: At computer startup Command: "C:\Program Files\Wireshark\dumpcap.exe" Arguments: -i "[NAME OF LAN ADAPTER]" -f "[CAPTURE FILTER IF NEEDED]" -w "C:\Temp\%COMPUTERNAME%.pcap" -b filesize:100000 -b files:500
This will run a loop capture with max. 500 files of 100 MB each in size.
Edit: per the comment, since this PC is the destination of a mirror port, capturing on boot is a reasonable requirement. However, using Wireshark is probably the wrong tool for this - check out dumpcap (see https://packetlife.net/blog/2011/mar/...) for the discussion.
The issue of startup was discussed here some time ago: https://osqa-ask.wireshark.org/questi...
There may be packets sent and received by code in Windows that runs before Windows is even ready to start programs such as Wireshark, so Bob Jones's advice to do your capture with another machine is probably the best solution.
Amen to that.If you are looking for odd things in your system at boot time it is time to get your ethernet ninja star
Yeah i understand, just the organization I am doing this for is just hellbent on using wireshark and not wanting to alternate, but thanks for the advice.
As already mentioned, the best way to capture network activity during a (re)boot is from outside the computer, using a tap (or monitor port). And when using dumpcap you will miss some initial packets.
But windows has a build in capturing mechanism: netsh trace. When used with the 'persistent' option it will "survive" a reboot. Then the first captured frame after a reboot is the Window's initial DHCP request (or ARP if you don't use DHCP).
The netsh trace command is:
netsh trace start persistent=yes capture=yes maxSize=0 fileMode=single report=disabled tracefile=c:\temp\nettrace-boot.etl
Stop with:
netsh trace stop
The ETL file can be converted into a PCAPNG using etl2pcapng on GitHub.
Comments
What Operating System?
Windows Operating System
What packets are you interested in? As I indicated in my comment on Bob Jones's answer, Windows may send and receive packets before it's even ready to run Wireshark, so even if it could start up Wireshark at some point during startup, you wouldn't get all the packets.
Well the ethernet port mirrors a port on the switch and need it to capture, problem is I need computer to reboot from time to time for Windows updates, because it is a dedicated system.