Detect live wireshark traces on monitored servers with SAM?

Hello,

Does anybody would know how or have a creative way to approach my request: I want to poll defined servers and see if a live Wireshark/Pcap capture is being done.

We have a few servers and maintenance PC that have Wireshark installed on them. The use is permitted for troubleshooting/eng purposes, but we would like to monitor when and for how long the traces are running (ie Packet captures, not just the program running idle).

Once I gather this info, I would like to do some basics alerts like "alert me when a Wireshark trace is running for more than X minutes/hours" so somebody does not forget a trace and fills a disk (yes I know, there's parameters for that, but not everyone could think of that everytime ).

As an added goodie, it would be nice to poll the capture filters if that is possible, but this is a wish, not a requirement.

Find more posts tagged with

sam

wireshark

sam template

packet_capture_wireshark_sniffer

Accepted answers

All comments

d09h

Seems like this would be a starting point:

Process monitor

Process monitor for Windows

Set some value for these and perhaps fine-tune:

CPU Threshold

Physical Memory Threshold

Virtual Memory Threshold

IO Read Operations/Sec Threshold

IO Write Operations/Sec Threshold

IO Total Operations/Sec Threshold

Perhaps alerts would be useful...If a capture was running, you may find some of these values to be above a threshold. A little trial and error might be required.

Combine this functionality with:

Directory Size monitor

...File Extensions Filter

Determines which file extensions are included in the disk space usage calculations for the directory size. It is a text matching filter, and * is a wildcard....

Directory Size

...

By default, the File Extensions Filter option is set to the wildcard, [*]. This means the monitor will calculate the size of all the files. If you need to calculate the size of a certain type of file, add the proper extension, as in the following example:

For example: For only ZIP archives, you should set the filter option to "zip".

My suggestion: 'For example: For only PCAP archives, you should set the filter option to "pcap".

There's probably something I'm missing here...some fatal flaw.