Re: remote capture framework

[Phil Paradis <Phil.Paradis () unitedtote com>]

We have a very similar setup; we use SrvAny.exe from the Windows Resource Kit to run dumpcap as a service. The 
parameters are configured to capture to a ring buffer of a fixed maximum size, and we run the capture continuously; 
when something of interest happens, we just go and grab the files after hours.

Two caveats:

1. If the capture runs for a long period of time on Windows the timestamps will drift. If you stop the capture and 
restart the NPF service periodically, the drift doesn't get too far out of hand. We restart the capture every day in 
the early morning. If you need better accuracy and can live with a loss of precision, there is a registry setting that 
changes how timestamps are calculated; this fixes the drift, but reduces the precision to 10ms resolution in place of 
the default sub-millisecond resolution. (I'd have to look up the details; it's been a while since I last looked into 
this.)

2. When the capture is stopped and restarted (either by restarting the dumpcap process or rebooting the box) the 
existing ring buffer is orphaned on the disk and a new buffer started. We just run a script every day, right after the 
capture restart, to clean up old files (based on the modified date of the file) so the disk doesn't fill up. 

If you're running on Linux, you can just create an init script to start dumpcap at boot. I'm not sure about the 
timestamp issue; all of our capture boxes are Windows-based, so I've never really played with a long-running capture on 
Linux. (IIRC, the issue on Windows is related to the win32 time APIs, so I suspect Linux doesn't have the same issue.) 
You'd probably need a cron job to clean up the orphaned buffer files from system reboots though.

--
Phillip R. Paradis | Network Engineer | United Tote | 2724 River Green Circle | Louisville | KY | Phone: +1 (502) 
509-7445


> -----Original Message-----
> From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-
> bounces () wireshark org] On Behalf Of Morty
> Sent: Thursday, May 13, 2010 5:58 PM
> To: wireshark-users () wireshark org
> Subject: [Wireshark-users] remote capture framework
>
> I have a whole bunch of hosts at various WAN sites that are used for
> remote captures.  Right now, people log in to them remotely and kick
> off tcpdump or wireshark on the host itself.  I'd like to get away
> from that.  I'm willing to develop something myself, but prefer to not
> reinvent the wheel.  rpcap looks like a step in the right direction.
> But it seems to be a streaming solution, which is bad over a WAN; it
> doesn't seem to have a mechanism to centrally list many supported
> devices; and it doesn't seem very cross-platform.  Is rpcap more
> capable than I am seeing?  Is there a different (free) option?
>
> Thanks.
>
> - Morty
> _______________________________________________________________________
> ____
> Sent via:    Wireshark-users mailing list <wireshark-
> users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-
> request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe