Scheduling Wireshark Windows 2003 64 Bit R2


#1

I have the below script scheduled on windows 2003 R2 64 Bit Standard edition. Wireshark version 1.4.4 with WinPcap 4.1.2. I ran it the first few times from the command line it did run with out any issues. I also ran it a few times from the Schedule Task it did run without any issues. Now when I check it in the morning it shows that it did run however when I look in the directory for the capture file there is no files. So I ran the same command from the command line and now I get the follwoing error message:

Debug Console
wireshark: You cannot specify both a live capture and a capture file to be read.

Press any key to exit.

Script:

@echo off

set KC_cmd_log=E:\KC_Capture\KC_FTPS_cmd.log

if not exist %KC_cmd_log% echo “%date%” “%time%” “New log file created.” > %KC_cmd_log%

if exist E:\KC_Capture\kc_. goto RUN_KCFTPs
goto SKIP_KCFTPS

:RUN_KCFTPS
echo “%date%” “%time%” “Running KC_Capture script.” >> %KC_cmd_log%
"e:\program files\wireshark"wireshark -i \Device\NPF_{62323AB8-AAE0-4CDB-8846-D6972A6FE594} -k -a duration:180 -w e:\KC_Capture\KC_530am_%date:~4,2%%date:~7,2%%date:~10,4%%time:~0,2%%time:~3,2%

echo “%date%” “%time%” “UNZIP command returned with ERRORLEVEL %ERRORLEVEL%” >> %KC_cmd_log%
goto DONE

:SKIP_KCFTPS
echo “%date%” “%time%” “No Traffic to Capture - skipping KC_Capture script.” >> %KC_cmd_log%
goto DONE

:DONE
set KC_cmd_log=

=========================================================================================================

If anyone out there would shed some light on what I’m doing wrong. I’d really appricate it.

P.S. please focus on the wireshark command only and forget about the rest of the script.

Best Regards,


#2

Ok. After further troubleshooting I used Tshark to achive the same goal.

@echo off

set KC_cmd_log=E:\KC_Capture\KC_FTPS_cmd.log

if not exist %KC_cmd_log% echo “%date%” “%time%” “New log file created.” > %KC_cmd_log%

if exist E:\KC_Capture\kc_. goto RUN_KCFTPs
goto SKIP_KCFTPS

:RUN_KCFTPS
echo “%date%” “%time%” “Running KC_Capture script.” >> %KC_cmd_log%
"e:\program files\wireshark"tshark -i \Device\NPF_{62323AB8-AAE0-4CDB-8846-D6972A6FE594} -a duration:180 -w e:\KC_Capture\KC_530am_%date:~4,2%%date:~7,2%%date:~10,4%%time:~0,2%%time:~3,2%

echo “%date%” “%time%” “Capture command returned with ERRORLEVEL %ERRORLEVEL%” >> %KC_cmd_log%
goto DONE

:SKIP_KCFTPS
echo “%date%” “%time%” “No Traffic to Capture - skipping KC_Capture script.” >> %KC_cmd_log%
goto DONE

:DONE
set KC_cmd_log=

I scheduled it and was able to run it.

Now my question does anyone out there would please post how to use it from the command line to capture only FTP traffic?

Thanks,