Setting Wireshark to run as a Windows service

1. Install Wireshark onto the system you wish to monitor
2. Find the files "instsrv.exe" and "srvany.exe" from the respective Windows Server resource kits and copy them to the server.
3. Find the "NIC ID" of the card you want to monitor.
To find from the command prompt <path to Wireshark command line executable>tshark -D <path to Wireshark folder>nic.txt
You can also start Wireshark and find the NIC through the GUI.
4. To set the Wireshark as a service from a command prompt type:
<path to Wireshark file>insystv.exe Wireshark <path to file>srvany.exe
5. Add Wireshark parameters to the registry

• Run regedit
• Locate the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wireshark
• Add a new key "paramaters"
• Add a reg_SZ type called "application"
• Value = C:\Program Files\Wireshark\tshark.exe" -i <NIC ID> -t ad -p -n -w c:\capture log file name.pcap

6. Open services.msc and set the "Allow service to interact with desktop" for the Wireshark service you created
7. At this point you will either need to reboot the server or make a new connection to the server to start the Wireshark service.
If the service fails to start the most common issue is that NIC information is not correct. Try running
C:\Program Files\Wireshark\tshark.exe" -i <NIC ID> -t ad -p -n -w c:\capture log file name.pcap from the command line and changing the NIC ID until you get the combination correct and then retry the service.

CAUTION: WIRESHARK LOGS CAN BECOME LARGE QUICKLY IF THE CAPTURE IS USING THE DEFAULT PROMISCUOIS MODE.