What is dumpcap?
Dumpcap is a network traffic dump tool that is installed as part of the Wireshark installation package.
Because Wireshark offers a simple-to-use GUI, we are usually able to use Wireshark without needing to interact with some of the lower level packages that really make Wireshark work. One of such packages is dumpcap. Think of dumpcap as the tool that is actually capturing the traffic on your network interface. Wireshark simply calls on dumpcap to capture the traffic. Then it reads the traffic captured by dumpcap and displays it in a more readable GUI.
Dumpcap can be very useful when troubleshooting intermittent issues on your device or network. You may not want to leave Wireshark running and saving all the traffic captured in a single file because you could end up with a capture file that is several gigabytes in size which will be difficult to use for an investigation.
With dumpcap, you can ensure that all traffic through an interface is being captured while setting it to start capturing into a new file every time the previous file is a specified size e.g 100MB.
Additionally, by using the ring buffer setting, you can also define the maximum number of files that are ever captured so that when the number is reached, the packet captures continue, while the oldest file is deleted.
Consider a scenario where you are having intermittent connectivity issues on your endpoint. You might want to allow captures run on your laptop as long as you are using it so that you can investigate when the problem occurs. But you also don’t want everything captured in one large file. In such a scenario, you can use dumpcap to ensure traffic is constantly being captured up to a file size of say 20MB. After each file of 20MB, all traffic starts being captured to a new file while setting a ring buffer of 4 files. This way, you don’t keep many unnecessary files on your machine, but at the same time, you are sure that you can reference captures from that interface when the problem occurs again.
To determine the interface I want to capture traffic on using dumpcap, I first use the command: dumpcap -D
➜ ~ dumpcap -D
1. en0 (Wi-Fi)
2. llw0
3. utun0
4. utun1
5. utun2
6. utun3
7. en4 (USB 10/100/1000 LAN)If I want to capture traffic on the wired interface, I now know the interface number is 7.
Now I want to send the captured files to a specific folder while ensuring that each capure file is a maximum of 20MB. Additionally, once there are up to 4 files, any new capture will overwrite the oldest file. To do this, I run the command below:
dumpcap -i 7 -w Documents/extended_captures/wifi.pcapng -b filesize:20000 -b files:4This is useful because a timestamp is appended to the name of each file captured so that you know which file to review if the incident suddenly happens again.
More information on dumpcap can be found here: https://www.wireshark.org/docs/man-pages/dumpcap.html