Capturing traffic with Dumpcap

The dumpcap.exe file is the executable that Wireshark actually runs under the covers to capture packets and save them to a trace file in libpcap format. You can run Dumpcap on the command line to circumvent using the Wireshark GUI and use fewer resources. A list of command-line options is available by typing dumpcap.exe -h.

Some of the most useful options are as follows:

-D: This prints a list of available interfaces and exits
-i <interface>: This specifies a name or index number of an interface to capture on
-f <capture filter>: This applies a capture filter in the Berkeley Packet Filter (BPF) syntax
-b filesize: This is the file size
-w <outfile>: This is the name of the file where the files will be saved

An example ...

Get Wireshark Essentials now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Wireshark Essentials by James H. Baxter

Capturing traffic with Dumpcap

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly