Cisco Support Community
The purpose of this article is to capture packets for a network scenario where the Mean Time Between Failure (MTBF) is very long. To capture packets for such a long time requires the buffer in the computer to be very high so that the whole traffic can be captured.
To obtain the captures we use Wireshark software and the command Dumpcap. Dumpcap will capture packets on a specified interface and save it in a file.
• All Devices
Procedure to Capture Packets
Step 1. In the Windows command prompt, navigate to the location where the Wireshark file is saved and enter dumpcap -D to check what the available interfaces are to capture packets.
Important commands for dumpcap:
• -i — Name or number of the interface through which the traffic needs to be captured.
• -B — Size of kernel buffer.
• -c — Stop capture after n packets.
• -w — Name of the file to save.
• -b — Duration of time to switch to next file.
Step 2. The default capture buffer of a dumpcap file is 1 Mb. To check the available physical memory use the task manager. To navigate to the task manager right click on the start task bar menu and click Start Task Manager. In this case 1904200 Kb is available in physical memory which is more than the default buffer size.
Step 3. In the command prompt inside the Wireshark directory enter dir to check the available free bytes to make sure all the available space is not used by the capture file.
Step 4. Run this command to start dumpcap with a 5 meg file size per capture and use 48 total files in a ring on interface 2. The packets gets saved in the file called CiscoLongTermPacketCapture.pcap : dumpcap -b filesize:5120–b files:48 -i 2 -w CiscoLongTermPacketCapture.pcap.