I'm running Server 2022 with a SET TEAM for my VMs. Previously, I was able to install Wireshark on our DHCP VM with no issues, but now I have to troubleshoot an SQL production application that keeps crashing, and the vendor has requested that I use Wireshark for capturing network traffic. Is it okay to install Wireshark directly on our SQL VM, or would it be safer to approach this differently, like installing it on another VM and using port mirroring? Thanks for your help!
2 Answers
You actually don’t need to install anything at all for packet captures on Windows! You can capture the network trace and then convert it to Wireshark format using etl2pcapng, which you can find on GitHub. It's a neat way to avoid any installation headaches.
If you have the capability, it's usually better to have a separate VM for network capturing via port mirroring. It keeps your production SQL server more stable since you're not installing Wireshark there directly. You could do this on another Windows Server VM with a GUI, or even a lightweight Linux VM using tcpdump. One thing to consider is how enabling port mirroring might impact the performance of your production SQL server, but overall this is safer than running captures directly on that server. Also, remember that installing Wireshark on Windows might require a reboot, mainly due to the npcap dependency.
Thanks! I can always turn off port mirroring if it causes issues. I'm in my maintenance window right now, so I'm going to try this.
Just a heads up, the Wireshark and npcap installation usually doesn't need a reboot to run, although they do suggest it. I’ve had no issues running it without one.
This sounds intriguing! We experience random crashes in our database app, especially in the mornings when logging in becomes impossible, which makes me skeptical that it's a network issue. I'm hoping to leave this running until the problem occurs to catch it. I'm trying to get the hang of Wireshark, but I'm having issues with the capture controls becoming unresponsive, even with the VM only using 10% of CPU and 30% of host resources. I have 5 cores and 10GB RAM allocated, any tips?