Issue
In order to troubleshoot random network issues, it is sometimes necessary to set up Wireshark to capture network traffic for an extended period of time. As Wireshark runs it decodes packets and its data structures grow. This causes performance issues and eventually, Wireshark may simply run out of virtual memory and stop capturing or crash.
Product Line
Andover Continuum, EcoStruxure Building Operation
Environment
Wireshark
Cause
Need to capture network traffic using Wireshark for an extended period of time.
Resolution
Open Wireshark and follow these instructions:
- From toolbar, select Capture -> Options
- On the Input tab, select input adapter. If necessary set capture filter.
- On the Output tab, perform the following:
- Browse capture file location and provide a filename. A timestamp will be added to the filename as a suffix.
- Ensure output format = pcapng
- Check Create a new file automatically
- Check After 1 and change seconds to hours
- Check when time is multiple of 1 and change seconds to hour
- Check use a ring buffer with X files. (Recommended settings are 96 hours (4 days) or 168 hours (1 week) so can retrieve files after long weekend or 1 week, respectively).
- On the Options tab, perform the following
- Check last selection and change to 744 hours. (Recommended to capture for 31 days without stopping).
- When an event happens, gather a capture with the timestamp before and after the event. One can ZIP the .pcapng files to save space when transferring.
NOTE: More recent versions of Wireshark ( 2.4.1.21317 ) make it very easy to set up a ring buffer from the Output tab of the Capture options.
For older versions of Wireshark 1.x use the steps below
When capturing data, Wireshark actually uses a capture utility called DumpCap to do the actual data capture. DumpCap does not decode packets as they come in and thus has a smaller memory footprint which remains constant. The only remaining concern is the size of the capture file or files which can be specified when starting the ring buffer to keep them from growing too big.
DumpCap is found at the location where the Wireshark program resides which can be seen if you go to Help\About Whireshark\Folders
- Determine the index to the Ethernet adapter you need to capture on. In this example, the traffic seen by the Broadcom NetXtreme Gigabit Ethernet adapter will be captured. Index 1 is specified when starting DumpCap.
- Execute DumpCap with the following options
dumpcap -i 1 -b files:3 -b filesize:10 -w C:]temp\abe.pcapng
- -i 1 specifies tp capture on the network adapter with an index of 1
- -b file: 3 specifies to use a 4 file ring buffer.
- -b filesize:10 specifies to limit the file size to 10 KB (*** for a real life capture this number would be much bigger like say 100/200 MB)
- -w c:\temp\abe.pcapng specifies location and prefix for the three files
- In the screenshot below we can see the files in the ring buffer being used, once a file reaches the specified limit, the capture continues at the next file, files are names using the specified prefix as well as a date-time stamp that is updated each time utility dumps captured data in the file.
Care should be taken to stop the capture as soon as possible once the issue under investigation takes place and before the ring buffer wraps around and overwrites the data.
