How to run TShark as a Windows Service.
What is TShark?
TShark is a terminal oriented version of Wireshark designed for capturing and displaying packets.
Can TShark be run as a Windows Service?
The application can be run as a Windows Service using FireDaemon Pro, which allows you to have the application start automatically at boot prior to login, start multiple instances of the application and more. This HOWTO will show you how to set it up. You can also use Fusion to manage FireDaemon and other Windows services via a web browser.
How to set up TShark under FireDaemon Pro
1. Download the latest version of Wireshark from the official website.
2. Install the Wireshark application.
By default it installs to C:\Program Files\Wireshark. Make sure to select the option to install TShark when prompted.
3. Create a directory where you want the capture logs to be stored.
For this HOWTO we will use C:\TShark Output\.
4. Download and install FireDaemon Pro into the directory of your choice, typically C:\Program Files\FireDaemon.
5. Next start the FireDaemon GUI from the desktop shortcut.
Click on the "Create a new service definition" button in the toolbar (or type Ctrl+N) and enter the information into the fields as you see below. Adjust the paths to suit your installation. Note the required parameters.
- Executable: The path to your tshark.exe file. For the purposes of this HOWTO, the path is C:\Program Files\Wireshark\tshark.exe.
- Working Directory: The directory containing your tshark.exe file. For the purposes of this HOWTO, the path is C:\Program Files\Wireshark
The most important field on the tab is the Parameters. The Parameters define the initial setup of your server.
Here’s the full parameter list you should have:
-w "C:\TShark Output\File" -b duration:3600
- -w "C:\TShark Output\Capture" Saves the output to a file named "Capture" in "C:\TShark Output". You can change the path and file name to anything you want. The raw data in this file can only be analysed by opening it with TShark. If you create the logs files in a directory and the directory does not exist, then the service will not start.
- -b duration:3600 Replace 3600 with the number of seconds to elapse before creating a new file. Be careful with this as you can end up with thousands of files. If you do not set this parameter than everytime the service is started it will overwrite the log file.
- NOTE: If you want to change any other settings you can find more parameters here.
- If you want text output instead, then don't add any parameters. More info on how to configure this later in the HOWTO.
Step 6. Now click on the Settings tab.
If you DON'T want to see TShark running, uncheck the Interact with Desktop check box & select "Hidden" from the "Show Window" dropdown. You must set the job type to "Global" so that child processes are terminated properly when the service is stopped or restarted. You can optionally run TShark as the user you installed it as. You can change the Process Priority to allocate more CPU time to TShark or specify which CPU or core TShark will run on (in the case of multi-processor, hyperthreaded or multi-core CPUs).
Step 7. Now click on the Lifecycle tab.
Uncheck Graceful Shutdown as it can slow the shutdown of TShark.
Step 8. If you want to use text output instead of raw output then click on the Logging tab.
Choose a path to a log file.
Step 9. Now click on the Scheduling tab.
Set the restart schedule to Every 24 Hours. TShark has an issue where it exhausts all available memory; read more on the issue here. This means you will need to restart TShark on a regular basis. You may need to play with the restart frequency depending on the amount of memory the computer has and the amount of packets being captured. You need 10 times more memory than the total file capture size. So let's say the total file capture size is 500MB after 24 hours of use. This means 5GB of free RAM, then you will need to set the restart frequency faster (e.g. Every 12 hours).