Versions Compared

Version Old Version 12 New Version 13
Changes made by

Mack Baczynski

Mack Baczynski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Expand
titleTable of Contents
Table of Contents

...

Dumpcap is a CLI subtool of the commonly used Wireshark packet analysis tool . It leverages the WinPCAP driver to capture specified traffic on a which can be run without launching the full Wireshark user interface. It captures traffic specified by predefined capture filters on a user defined network interface. We use dumpcap for its minimal resource utilization and automation capabilities. Your users will be able to set it up once and go about their job without disruption. You’ll see the application running as “dumpcap.exe” in Windows Task Manager following successful setup.

...

This method is best used for events which are reproducible on demand.

Using Dumpcap

This tool is meant to run Dumpcap runs in the background and does not disrupt the user experience. Once the necessary data has been captured, the process can be removed via the uninstall script. Logs can then be gathered and sent to the SharpenCare team. Like Wireshark, capture filters can be configuredare configurable. By default, our dumpcap script captures only traffic sent or received to/from the Sharpen network . Since Sharpen infrastructure is dynamic, it is always best to double check with the SharpenCare team regarding whether the configured capture filter is in alignment with your current configurationand Google STUN resources.

This method is best used for incidents which are not easy to predict. You can setup the logging, wait for the issue to happen and then gather the logs. Log files are stored with date/time references to allow for historical use.

...

Info

Please note, due to encrypted RTP present in webRTC traffic, this guide is NOT applicable to Sharpen Q phone if we’re looking to capture and interpret assess audio quality. For call quality concerns related to Sharpen Q phone, please refer to the webRTC-internals guide. Signaling and general RTP availability concerns through Sharpen Q Phone can still benefit from this guide.

...

  1. Download the DumpcapSetup here

  2. Extract the contents

  3. Double click the “Install.bat” script

    1. You will likely be prompted by Windows defender indicating “Windows Defender SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.” – This is expected since the batch file was not created local to the machine in use. 

    2. Click the “More info” link, then choose “Run anyway”

  4. User Account Control will prompt for evaluated permissions. Continue or enter Administrator credentials to continue

  5. Observe the text at the top of the command prompt window. It will display all the observed network interfaces available to dumpcap, and will launch the windows network connections control panel

  6. Input the corresponding numeric entry associated with the active network interface handling Sharpen traffic.

    1. Tip: In most cases, multiple network adapters will show. Choose the one which has the name matching the “Connected” status. Unless simultaneously connected to networks, this will be the active adapter

    2. Please also note that dumpcap’s identification of network adapters by ID can change upon reboot. The initial setup of this script sets the ID statically. So, if the ID changes, the capture will not work. If possible, it is best to disable all but the necessary (“Connected”) network interface for the duration of the data gathering.

      1. Image RemovedImage Added

    3. Here’s an example from a machine with a few virtual adapters, a VPN, and a bridged WiFi connection. In this case, the bridge is the active connection, so option “1” would be chosen in the command prompt.

  7. Press Enter

  8. Setup is now complete

  9. Validate logs are capturing

    1. Navigate to Desktop\DumpCap\Captures

    2. Observe whether file(s) such as the following exist

      1. file_00001_20181101115841.pcap

      2. File size is only expected to increase once audio traffic to/from Sharpen commences

Retrieval, Analysis, and Removal

...

  1. Navigate to the original extraction point of the DumpcapSetup.zip

  2. Locate the “Uninstall.bat” file and double-click

  3. User Account Control will prompt for evaluated permissions. Continue or enter Administrator credentials to continue

  4. Navigate to Desktop\DumpCap\Captures

  5. Identify the proper capture associated with the incident

    1. Date and time can be interpreted by observing the file name

      1. file_00001_20181101115841.pcap

        1. Year, Month, Day, Hour, Minute, Second indicates start time of file Date Modified File Explorer column indicates the end time of the file

  6. Copy the identified packet capture file

  7. Upload the file to a cloud storage solution such as Google Drive, Onedrive, Dropbox, etc...

  8. Provide public link to Sharpen in SharpenCare case

  9. Sharpen will analyze the capture in conjunction with server-side captures to help reach root cause understanding.

...