We are trying to run the tool to capture the traffic on our new Windows 2016 Core edition Domain Controller.
Thank you.
In order to run a capture for long time, at least two things may need to be considered. The storage capacity at your domain controller/device and the capture filter to be applied if possible. (Ex. port==53 for DNS captures)
Running a non-filtered capture may increase the amount of the storage needed.
I assume you are willing to do a capture on the server, and not close to the server with an additional device.
1) You just need to download the executable of Wireshark, and perform the installation according to the instructions (https://www.wireshark.org/download.html).
2) Do not use the GUI for capturing but better the tshark command line with a buffer for files and considering the limitation of your amount of storage. (Example: tshark -i yourinterfacenumber -b files:56 -b filesize:100000 -w Yourtracefile.pcapng) look into the tshark manual pages for more details. You may add -a duration:timeinseconds to limit the time of the running capture.
You can schedule tasks on Windows systems,( or a cron job on Linux systems) in order to repeat the capture job, and start any other capture with the scheduled tasks at the desired time.
Running a long term with tshark command line in general has almost no effect in the perfromance degradation on the system, but it may depend of the system physical capacity/properties.
Thank you xinxolHH. Much appreciated.
Better yet, don't use Wireshark or tshark. Use dumpcap, which is the best tool to do that (and is called by Wireshark and tshark for captures, anyway)
Comments