First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can I make wireshark immediately start capturing on a newly connected interface?

  • retag add tags

My system is uploading something to someone 2 minutes straight upon startup.

I want to track the start of it.

I'm already running a bat on startup, that starts tracking all interfaces immediatly.

"C:\Program Files\Wireshark\wireshark" -i 1 -i 2 -i 3 -i 4 -i 5 -k

Problem is that wireshark takes some time to start.

My next thought was to disconnect the cable or deactivate the adapter in the settings for the interface, then start tracking upon connecting it.

Is there a way to start wireshark quickly to capture everything send and received from startup?

Or is there a way to connect the interface after wireshark is running and then start tracking as soon as possible?

Also wireshark seems to terminate immediatly if the interface number doesn't exist, and newly connected interfaces don't appear on the back of

wireshark -D

but instead in the possition they would be in later. So I can't just spam wireshark -i 5 -k to track the interface relatively quickly.

anon1398591551858's avatar
1
anon1398591551858
asked 2022-09-10 08:04:52 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2022-09-13 05:36:11 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

Consider capturing externally, i.e. use a switch that has a mirror or span mode and the capture can be started on the mirror port before the target machine is started.

grahamb's avatar
23.8k
grahamb
answered 2022-09-12 08:21:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

No. Wireshark doesn't support that.

On Windows, it would require, at minimum, that Wireshark be notified of the appearance of new interfaces, and it currently has no code to do that atop whatever mechanism Windows or Npcap provide to do that.

Npcap currently doesn't provide such a mechanism, although it might be possible for it to do so if it gets notified that it has been bound to a new interface.

That alone, however, might not be sufficient, as Wireshark would then have to open the interface after it's notified that it has appeared, but that won't capture any traffic that arrived before the open completed.

So starting a capture on an interface the instant it appears is not supported, and it might be difficult for Npcap to support it.

@grahamb's suggestion to try capturing externally, if possible, is probably the best suggestion.

Also wireshark seems to terminate immediatly if the interface number doesn't exist

If you try to capture on an interface that doesn't exist, there's nothing for Wireshark to open, so it can't do anything other than say "that interface doesn't exist" and quit.

and newly connected interfaces don't appear on the back of

wireshark -D

but instead in the possition they would be in later.

libpcap/Npcap sort interfaces in order to try to put the interfaces most likely to be captured on first. (The implementation of that on Windows is not ideal, and needs work, but that still means that new interfaces will not be guaranteed to appear at the end of the list.)

Guy Harris's avatar
19.9k
Guy Harris
answered 2022-09-13 05:46:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

If you try to capture on an interface that doesn't exist, there's nothing for Wireshark to open, so it can't do anything other than say "that interface doesn't exist" and quit.

Sorry, yeah that makes sense, but also if you specify 5 interfaces, and 1 doesn't exist, the whole thing terminates.

anon1398591551858's avatar anon1398591551858 (2022-09-13 08:49:10 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer