Capturing traffic with Dumpcap

The dumpcap.exe file is the executable that Wireshark actually runs under the covers to capture packets and save them to a trace file in libpcap format. You can run Dumpcap on the command line to circumvent using the Wireshark GUI and use fewer resources. A list of command-line options is available by typing dumpcap.exe -h.

Some of the most useful options are as follows:

• -D: This prints a list of available interfaces and exits
• -i <interface>: This specifies a name or index number of an interface to capture on
• -f <capture filter>: This applies a capture filter in the Berkeley Packet Filter (BPF) syntax
• -b filesize: This is the file size
• -w <outfile>: This is the name of the file where the files will be saved

An example of viewing a list of interfaces and then running Dumpcap to capture a specific interface with an IP address capture filter (note the use of quotes around the filter syntax) configured to use a three-file ring buffer with file sizes of 100 MB and an output filename derived from capture.pcap is illustrated in the following screenshot:

You can get more information on Dumpcap options at https://www.wireshark.org/docs/man-pages/dumpcap.html.