6

I need to run Wireshark all night to capture packets from a certain IP address. I notice the longer Wireshark runs, the more RAM it takes up because it stores all of the packets found during the run. There are 3 possible solutions for me, but I couldn't find any answers online:

  1. Configure Wireshark to only save in RAM the packets the packets that appear through the filter (not ALL packets). I'm not sure if this is possible.
  2. Configure Wireshark to automatically save packets to a file every hour and free its memory after storing to file.
  3. Use an alternative to Wireshark that is designed to run for a while.
clarity
  • 163
  • 1
  • 3

4 Answers4

3

For Windows environments (like mine where it is a big deal to install wireshark on a server), ever since Win7/2008R2 there has been built in packet capture available.

This will capture everything until you tell it to stop: netsh trace start capture=yes persistent=yes tracefile=c:\temp\results.etl

Monitor the trace: netsh trace show status

Stop the trace: netsh trace stop

It does support all the usual: Filtering, circular logging and even can persist across reboots. Another plus is the command help: try netsh trace ? or netsh trace show ? You do need to install Microsoft Message Analyzer to view/export the results.

It seems like for your situation you'd be set with the below command:

netsh trace start capture=yes persistent=yes tracefile=c:\temp\results.etl maxSize=500

That will give you circular logging with 500MB files, and persist across reboots.

Dre
  • 1,710
  • 7
  • 12
1

I always just use tcpdump. Wireshark can open the resulting capture file later, though if it's huge you might still need to split it up with something like editcap. Here are some examples:

Capture all traffic:

tcpdump -s 0 -n -w <filename>

Capture all traffic, except SSH traffic (useful when running tcpdump over an SSH connection`):

tcpdump -s 0 'port not 22' -n -w <filename>

You need the -s 0 parameter so that tcpdump doesn't impose a per-packet limit.

You may not need -n; I always use it so that Wireshark doesn't spend time trying to resolve names. (It may be more useful without -w.)

mpontillo
  • 924
  • 6
  • 23
1

Necroed but ...

  1. Wireshark has supported separate capture-level (libpcap or winpcap) and display filters since at least 2008. Packets excluded by the capture filter are not stored at all and don't use memory. The capture filter syntax is simpler and less powerful than Wireshark's display filter syntax, but from (and/or to) an IP address is within its capabilities.

    The location where you specify a capture filter has changed over time. In old versions you had to double-click on the interface in the capture-options window; now (or at least recently) it appears in the welcome window and the capture-options window, under the interface list. I think this change occurred at 2.0, but I don't swear to that.

  2. It appears in this case you only really need to capture, and display can be at a later time. In that case, Wireshark has long had an option to write immediately to a file or a series of files (based on time interval or amount of data), and if you also turn off 'update list in real time' (a separate option) it doesn't take nearly as much RAM. (Obviously you need disk space for the file(s).)

    These options also moved. In old versions they were always shown in the capture-options window (in fact they used most of the bottom half of the window, making them hard to miss); now you must go to the second and third tabs of the capture-options window.

  3. The Wireshark package, including the Windows installer(s), also includes a command-line version tshark[.exe]. With option -w and related options like -b and -a, tshark similarly has the ability to capture, with optional capture filtering and/or 'display' (!) filtering, directly to a file or series of files, and doing no display at all hence needing almost no RAM. You can later read this file (or each/any of these files) into full-Wireshark to display and analyze.

    This option is similar to tcpdump with -w (but not identical). tshark's other modes -- to capture and immediately decode and display; or to read a capture file with -r and decode and display -- are basically similar to tcpdump, but the display is quite a bit different.

    Since this is a commandline program you need to read its manual page for detailed instructions. Since Windows (except for 10 + WSL) doesn't have man pages, the Windows installer instead provides an HTML file in the installdir (\Program Files\Wireshark\tshark.html) which is also accessible from the GUI program (Wireshark) under Help / ManualPages (!).

dave_thompson_085
  • 3,262
  • 1
  • 16
  • 16
  • I agree, the best solution is a capture filter. I once ran Wireshark on a demoted Domain Controller, and only captured DNS port to see if some clients still try to use it as DNS server. It ran for several days without eating up too much ram. – Tobias Jan 04 '19 at 10:31
0

Avoid capturing all packets, if possible. When selecting the interface, insert a filter to cover superset of the packets your are looking for in display later. That will reduce memory and disk usage of Wireshark alot:

enter image description here

example: to filter http packets, enter tcp port http and start capture.

NOTE: THIS IS A Capture Filter APPLIED WHEN SELECTING THE INTERFACE (this is not a Display Filter).

lashgar
  • 681
  • 1
  • 5
  • 16
  • The filters only filter the displayed data. All packets are still being captured – Mehdiway Jun 20 '19 at 12:31
  • @Mehdiway, sorry for confusion. This is a `Capture filter` not `Display filter`. Applied when selecting the interface. – lashgar Jun 20 '19 at 19:27