how to start Wireshark automatically at each boot-up?

Discussion:

Dai Nish

2010-01-13 23:50:25 UTC

Hello

I am having to record my network usage over each billing month. I am reading the Wireshark Help for information as to how a user can have the program automatically start and monitor whenever the computer boots up to no avail. Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Thank you,

Dai

Hrishikesh Murali

2010-01-14 10:57:37 UTC

Permalink

Hi,

Please advise me how you could start Wireshark automatically and use it to
monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

--
Thanks and Regards,
Hrishikesh Murali

T***@public.gmane.org

2010-01-14 13:18:48 UTC

Permalink

If your looking to monitor startup traffic from the box I would think it would be better to setup Wireshark on another system and attach that box to a hub / tap / span port / ect. That way you can get everything that happens on boot. If you don't know when the system will reboot you can also set up a ring buffer for the capture so it will always be running with out killing your disk space.
Just a thought
tim

From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-***@wireshark.org] On Behalf Of Hrishikesh Murali
Sent: Thursday, January 14, 2010 5:58 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

Hi,
On Thu, Jan 14, 2010 at 5:20 AM, Dai Nish <dai_nish-/***@public.gmane.org<mailto:dai_nish-/***@public.gmane.org>> wrote:
Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

--
Thanks and Regards,
Hrishikesh Murali

Karthik Balaguru

2010-01-14 13:25:48 UTC

Permalink

Hi,

Please advise me how you could start Wireshark automatically and use it to

monitor network traffic at each boot-up.
Just add the line "wireshark&" to /etc/rc.local
--

Great !! I think, that will work fine incase of single interface.
But, incase of multiple interfaces, how will wireshark select a
particular interface automatically so that packets sent/received
through that particular interface can be analyzed as soon as the
system boot up? Is there any configuration file that can be used by
wireshark to choose an interface as soon as it comes up ?

Thx in advans,
Karthik Balaguru
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Karthik Balaguru

2010-01-14 13:30:26 UTC

Permalink

Hi,

Please advise me how you could start Wireshark automatically and use it to

monitor network traffic at each boot-up.
Just add the line "wireshark&" to /etc/rc.local

Forthofer Russ

2010-01-14 14:00:42 UTC

Permalink

use the "-i <interface>" option. "wireshark -h" will show you the commandline options available.

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Karthik Balaguru
Sent: Thursday, January 14, 2010 8:30 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

Hi,

Please advise me how you could start Wireshark automatically and use it to

monitor network traffic at each boot-up.
Just add the line "wireshark&" to /etc/rc.local

Will wireshark be able to select the interface by just adding the above line ? I think, it will only start the wireshark.

Thx in advans,
Karthik Balaguru
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Karthik Balaguru

2010-01-14 14:34:02 UTC

Permalink

Post by Forthofer Russ
Sent: Thursday, January 14, 2010 8:30 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

Hi,

Please advise me how you could start Wireshark automatically and use it to

monitor network traffic at each boot-up.
Just add the line "wireshark&" to /etc/rc.local

Will wireshark be able to select the interface by just adding the above line ? I think, it will only start the wireshark.
use the "-i <interface>" option. "wireshark -h" will show you the commandline options available.

Interesting !
So invoking the wireshark by adding the line "wireshark&" to /etc/rc.local along
with the '-i' option solves the interface selection problem.
I checked the below link
-http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
I find very good support in command line for conveying the 'capture
stop conditions' and various methods of handling large number of
output logs to 'capture output'.

Thx for that info.
Karthik Balaguru
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Bill Meier

2010-01-14 15:31:30 UTC

Permalink

Post by Karthik Balaguru

Post by Forthofer Russ
Sent: Thursday, January 14, 2010 8:30 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to start Wireshark automatically at each boot-up?

Hi,

Please advise me how you could start Wireshark automatically and use it to

monitor network traffic at each boot-up.
Just add the line "wireshark&" to /etc/rc.local

One comment:

Using Wireshark directly is not suitable for long-term captures. It
dissects frames as they are received and accumulates info in memory
about the frames. It will thus use more and more memory as time goes on.

The program which should be used is Dumpcap (installed along with
Wireshark & etc) which is the program invoked by Wireshark to capture data.

Dumpcap can be used to just write a capture to a file (or files).

See the man page, the User's Guide and etc for more information.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Ian Schorr

2010-01-14 21:54:06 UTC

Permalink

Agreed. I'm really not sure what you're trying to accomplish with
Wireshark here. If you're simply looking for a report of how much
data has been transmitted and received, surely you don't want to
CAPTURE and SAVE all of that data - just know how much transferred?

There are a number of freeware utilities, depending on your OS,
designed to report and calculate Internet usage, that require much
less overhead than Wireshark..

Depending on what traffic is important to you (or more specifically,
if only a subset of traffic you transfer is important or not), you
might be able to just look at periodic outputs of "netstat -i".

If you're looking for a text-based report, you may want to consider
using "tshark", the "-z io,stat" option (and redirect output to a
file), and possibly a script that restarts tshark periodically.

Or if you really need to capture the data, dumpcap would be MUCH more
appropriate for long-term captures.

Post by Bill Meier
Using Wireshark directly is not suitable for long-term captures. It
dissects frames as they are received and accumulates info in memory
about the frames. It will thus use more and more memory as time goes on.
The program which should be used is Dumpcap (installed along with
Wireshark & etc) which is the program invoked by Wireshark to capture data.
Dumpcap can be used to just write a capture to a file (or files).
See the man page, the User's Guide and etc for more information.
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Guy Harris

2010-01-14 22:35:38 UTC

Permalink

Post by Hrishikesh Murali

Post by T***@public.gmane.org
Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

...if you're running on a UN*X with an /etc/rc.local. That obviously won't help on Windows.

Note that the X server must be running *before* Wireshark is started, as it's an X11-based application on UN*X.

As others have noted, it's not clear that Wireshark - or even the non-GUI TShark - would be the right tool for this purpose. If somebody wants to record network *usage*, even running dumpcap or "tcpdump -w" might be overkill - capturing traffic won't just give them the amount of network traffic, it'll give you the full *contents* of the network traffic, so if they use, for example, 250GB/month of network traffic, capturing that traffic will consume at least 250GB/month of disk space....
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Hrishikesh Murali

2010-01-15 06:10:54 UTC

Permalink

Hi,

Post by Guy Harris
...if you're running on a UN*X with an /etc/rc.local. That obviously won't
help on Windows.

This is true, I was wrong in assuming that the user is using UN*X systems.

Post by Guy Harris
As others have noted, it's not clear that Wireshark - or even the non-GUI
TShark - would be the right tool for this purpose. If somebody wants to
record network *usage*, even running dumpcap or "tcpdump -w" might be
overkill - capturing traffic won't just give them the amount of network
traffic, it'll give you the full *contents* of the network traffic, so if
they use, for example, 250GB/month of network traffic, capturing that
traffic will consume at least 250GB/month of disk space....

You are right, I should have suggested the non-GUI option, especially if the
user is planning on caputring traffic over a reasonably long period of
time.

--
Thanks and Regards,
Hrishikesh Murali

Karthik Balaguru

2010-01-15 10:32:18 UTC

Permalink

Post by Guy Harris

Post by Hrishikesh Murali

Post by T***@public.gmane.org
Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

The below link conveys some good ways to dump and analyze netwrok traffic.
http://www.wireshark.org/docs/man-pages/tshark.html .
But, If running 'dumpcap' or 'tcpdump -w' is a overkill for capturing
the full contents of network traffic and if it is not a good idea to
use "tshark", the "-z io,stat" option (and redirect output to a file),
what could be the best alternative during this scenario ?

Should we need to go in for some kind of file compression by using
external file compression tools ?

Is there a format of logging provided by wireshark that would consume
very less space ?

Thx in advans,
Karthik Balaguru
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Guy Harris

2010-01-15 18:15:05 UTC

Permalink

Post by Karthik Balaguru
Is there a format of logging provided by wireshark that would consume
very less space ?

There's no form of logging that will just log the *amount* of traffic captured. There might be tools that will log that sort of information; it might, for example, be possible to get ntop:

http://www.ntop.org/

to log it.

If you really need information about *every* packet on your network, rather than just summary information such as "every hour, show me how much traffic went to and from different IP addresses", you could try setting the snapshot length with the "-s" flag so that you only capture the IP header; you could also try to capture the TCP or UDP header if you want to know what port numbers were being accessed (so you could, for example, distinguish HTTP traffic from SMTP/POP/IMAP mail traffic from...).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Karthik Balaguru

2010-01-15 14:52:12 UTC

Permalink

Post by Guy Harris

Post by Hrishikesh Murali

Post by T***@public.gmane.org
Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

...if you're running on a UN*X with an /etc/rc.local. That obviously won't help on Windows.

I have been searching the internet for having the wireshark up as soon
as the windows boots up -
1. http://www.tutorial5.com/content/view/43/47/
2. For Windows XP -
Click Start > All Programs > right click the 'Startup' folder > click
'Explore' > copy the Wireshark Shortcut there and you're done !!

The invokation of wireshark as soon as the Windows starts up can be
done using the above methods. But, If wireshark has to get started
with certain specific configurations then at startup, a batch file
should be created for this and the shortcut to launch the batch file
should be placed into the Startup group on the Start menu. The batch
file can have commands to invoke the wireshark with desired
configurations using the command line options that is available with
it. (with the '-i' option to solve the interface selection problem &
other options can also be configured )
http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
http://commandwindows.com/batch.htm

Lemme know if there is some other tricks !

Post by Guy Harris
Note that the X server must be running *before* Wireshark is started, as it's an X11-based application on UN*X.
As others have noted, it's not clear that Wireshark - or even the non-GUI TShark - would be the right tool for this purpose. If somebody wants to record network *usage*, even running dumpcap or "tcpdump -w" might be overkill - capturing traffic won't just give them the amount of network traffic, it'll give you the full *contents* of the network traffic, so if they use, for example, 250GB/month of network traffic, capturing that traffic will consume at least 250GB/month of disk space....

Karthik Balaguru
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Ian Schorr

2010-01-15 15:15:39 UTC

Permalink

I think you've gotten enough info to get started. Let us know if you
have questions once you've actually tried setting some of this up.
I'm not convinced any more info from this list is going to help you at
this point.

Though again, you probably don't want to start *Wireshark*, but some
other program instead.

On Sat, Jan 16, 2010 at 1:52 AM, Karthik Balaguru

Post by Karthik Balaguru

Post by Hrishikesh Murali

Post by T***@public.gmane.org
Please advise me how you could start Wireshark automatically and use it to monitor network traffic at each boot-up.

Just add the line "wireshark&" to /etc/rc.local

...if you're running on a UN*X with an /etc/rc.local. That obviously won't help on Windows.

I have been searching the internet for having the wireshark up as soon
as the windows boots up -
1. http://www.tutorial5.com/content/view/43/47/
2. For Windows XP -
Click Start > All Programs > right click the 'Startup' folder > click
'Explore' > copy the Wireshark Shortcut there and you're done !!
The invokation of wireshark as soon as the Windows starts up can be
done using the above methods. But, If wireshark has to get started
with certain specific configurations then at startup, a batch file
should be created for this and the shortcut to launch the batch file
should be placed into the Startup group on the Start menu. The batch
file can have commands to invoke the wireshark with desired
configurations using the command line options that is available with
it. (with the '-i' option to solve the interface selection problem &
other options can also be configured )
http://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
http://commandwindows.com/batch.htm
Lemme know if there is some other tricks !

Note that the X server must be running *before* Wireshark is started, as it's an X11-based application on UN*X.
As others have noted, it's not clear that Wireshark - or even the non-GUI TShark - would be the right tool for this purpose. If somebody wants to record network *usage*, even running dumpcap or "tcpdump -w" might be overkill - capturing traffic won't just give them the amount of network traffic, it'll give you the full *contents* of the network traffic, so if they use, for example, 250GB/month of network traffic, capturing that traffic will consume at least 250GB/month of disk space....

Karthik Balaguru
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

Continue reading on narkive:

Search results for 'how to start Wireshark automatically at each boot-up?' (Questions and Answers)

replies

What starts the "Update Adobe Flash Player" process?

started 2010-11-26 05:10:59 UTC

software

replies

The DNS server isn't responding?

started 2010-08-06 12:28:31 UTC

computer networking