Version:        1.00
Last Modified:  06/May/2022

Description:
This procedure describes how to set up a network capturing for a specific network communication using a dumpcap.exe (part of Wireshark tool).
The procedure is suitable in case the longer period of time needs to be captured, it is storing data to HDD and pperforms file rotation to prevent disk space exhaustion. Standard Wiresahark capture is not suitable for this.

Prerequisites:
- Wireshark is installed in the directory C:\Program Files\Wireshark. For different directory the path YSFdumpcap.bat must be reconfigured.
- There is only one network interface on the server where the procedure will be performed. 
-- In case there are several network cards, NIC identifier in YSFdumpcap.bat shall be reconfigured (default value -i1 , to list all the interfaces that can be monitored use command: dumpcap -D).
-- In case the server uses Unicast Windows Network Loadbalancing, two separate scripts and scheduled tasks should be created (one for each NIC).
- C: drive is available. If you wish to store script or the output on a different drive, replace the drive in all files from this script.

Required steps:
1) Create folder C:\YSFtemp\output
2) Copy attached file YSFdumpcap.bat to C:\YSFtemp
3) Edit YSFdumpcap.bat in case you need to alter some of capture parameters
   a. change capture filter (parameter -f) in YSFdumpcap.bat as needed
      by default TCP and UPD ports 5012-5030 and 50003 are captured: -f "portrange 5012-5030||port 50003"
      to monitor just a single port 80 use: -f "port 50003"
      to monitor IP address 10.0.0.111 use: -f "host 10.0.0.111"
      for additional filters refer to https://www.tcpdump.org/manpages/pcap-filter.7.txt
   b. add "-s 80" (without quotes) as another parameter behind -i1 if you wish to capture only the first 80 bytes of every packet
4) Run the YSFdumpcap.bat by double-click and verify the new file in "C:\YSFtemp\output" has been created. Also verify the batch file window shows some amount of packets being captured at the bottom of the screen (this requires that some communication matching the capture filter defined in the batch file).
5) Close the batch file that was launched in point 3 and delete content of "C:\YSFtemp\output" directory
6) Create new scheduled task to launch YSFdumpcap.bat on the background every time the computer starts (or launch import_task.bat with administrative privileges to import the task) 
   a. name: YSFdumpcap
   b. user: Any account with administrative rights for local machine (preferably SYSTEM)
   c. trigger: At startup and At task Creation/modification 
   d. action: Start a program c:\YSFtemp\YSFdumpcap.bat
   e. conditions: Untick "Start the task only if the computer is on AC power" option 
   f. settings: Untick Stop the task if it runs longer than	
   g. settings: Untick If the running task does not end when requested, force it to stop
   h. launch the scheduled task
7) Verify that scheduled task is running. It's status should be "Running".
8) Verify the new file in C:\YSFtemp\output has been created
9) Wait for issue to reoccur and gather the capture files stored in C:\YSFtemp\output
10) Stop and delete the scheduled task once the sufficient diagnostic data were gathered

Additional information:
- batch files YSFdumpcap.bat is utilizing dumpcap to capture all traffic on defined ports/address
- output of batch files is stored in "C:\YSFtemp\output"
- outputting files are rolling every hour, with a capture of maximal 3 days backwards
- filenames for output file have syntax capture_ 0001_<year><month><day><time>.pcapng
- the task runs on background no matter if user is logged in or not
- if the problematic issue (e.g. authentication failing) occurs e.g. at 14:00, provide the dumpcap output covering this time window and also two dumpcap outputs preceding it

Warning:
With every new start of YSFdumpcap.bat the content of "C:\YSFtemp\output" is erased. This is a necessity as "-f" parameter in dumpcap does not recognize the files created before utility restart -> files created before restart would remain on the disk forever. 
Thus if you need to obtain capture files, make sure you copy them to the safe location before performeing the server reboot.