How to Run TShark as a Windows Service with AlwaysUp

Wireshark is a popular set of network protocol analyzer tools; TShark is a command line component designed to capture network traffic.

In this guide, we'll show you how to start TShark soon after boot and keep it running all the time — despite crashes and other interruptions. It will only take you a few minutes to follow the step-by-step instructions below.

To install and run TShark as a Windows Service with AlwaysUp:

1. Download and install Wireshark, if necessary. Be sure to install the TShark component:

   

   Also, please make a note of where you installed Wireshark as we will need that location in a later step.

2. Download and install AlwaysUp, if necessary.

3. Start AlwaysUp.

4. Select Application > Add to open the Add Application window:

   

5. On the General tab:

   • In the Application field, enter the full path to the TShark executable, tshark.exe. If you installed Wireshark in the default location, this is:

     C:\Program Files\Wireshark\tshark.exe

   • In the Arguments field, enter your command line flags for tshark.exe.

     For this tutorial, we specify the following parameters to capture raw output from a specific device to a set of revolving data files (but none of these parameters are uniquely required to run TShark as a service):

     -i \Device\NPF_{FBE91814-7772-4982-B54A-3D83E91E6219} -b filesize:10000 -b files:5 -w "C:\TShark-Logs\raw-packet-data.pcap"

     Note that you can run tshark.exe -D to list the interfaces available on your system.

     And be sure to put quotes around any file names containing spaces. Indeed, certain commands like -f and -w require double quotes around their values.

   • In the Name field, enter the name that you will call your application in AlwaysUp. We have used TShark but you can specify another value if you like.

   

6. Move to the Logon tab and enter the user name and password of the account where you installed and run Wireshark.

   Note: Running in a user account is not strictly required. In truth, TShark should work fine from the System account where Windows Services run. However, we recommend using your own account at first since you know it works there. Feel free to revisit this setting later, after you get TShark running in your own account.

   

7. Click over to the Startup tab and check the Ensure that the Windows Networking components have started box. This informs AlwaysUp that TShark needs the TCP/IP networking stack properly initialized before it can start its work.

   

8. Click the Save button. In a couple of seconds, an application called TShark (or whatever you called it) will appear in the AlwaysUp window. TShark is now installed as a Windows Service. However, it's not yet running though and the state will be "Stopped":

   

9. To start your TShark service, choose Application > Start "TShark". The state will transition to "Running" and network capture will start in the background:

   

10. And that's it! Next time your computer boots, TShark will start logging your network traffic immediately, before anyone logs on.

    We encourage you to edit the entry in AlwaysUp and explore the other settings that may be appropriate for your unique environment.

    For example, you can:

    • boost process priority, to make TShark run as quickly as possible;
    • configure a weekly restart, to cure annoying memory leaks;
    • send an email if TShark crashes or stops unexpectedly; and more.

TShark not working properly as a Windows Service?

• Consult the AlwaysUp Troubleshooter — our online tool that can help you resolve the most common problems encountered when running an application as a Windows Service.

• From AlwaysUp, select Application > Report Activity > Today to bring up an HTML report detailing the interaction between AlwaysUp and TShark. The AlwaysUp Event Log Messages page explains the more obscure messages.

• Browse the AlwaysUp FAQ for answers to commonly asked questions and troubleshooting tips.

• Contact us and we will be happy to help!