Silently start Wireshark

I have a computer in our office that always gets infected by viruses. Because of this, I would like to use Wireshark (or at least something) to monitor internet traffic for a while on this machine. How can I have it start at boot time and begin monitoring without the user interface popping up? I would like to have this begin silently so that he does not know we are monitoring his traffic.

EDIT Sorry, it is Windows XP.

Solution 1:

If it is an internal box, then there should be a server acting as his gateway to the internet. Set up wireshark to monitor the traffic on this box, with a rule set for only his ip address.

Alternatively, if you don't have a central node to watch across, set up ettercap and start an arp poisoning. His machine will silently send traffic to you, which you silently pass on. There will be a performance hit on his end, but you get that with wireshark as well.

If you want to start wireshark silently in the background on his machine, you need to realize that wireshark is natively a GUI application. As Zoredache noted, you may want to use a command line based tool instead. The only option I can come up with is noted here: http://www.wireshark.org/docs/man-pages/wireshark.html

Set the display variable to be something other than the primary display. Most likely, an X11 session forwarded over ssh. This option will not be available in windows.

Solution 2:

You're going to want a commandline call for this. For example, a download of something like windump. Then get a scheduled task that initiates on login, or periodically, if you want smaller hour-long dump files. (they can get big) The capture file will be viewable in WireShark.

The specific command line will likely be C:\foo\bar\windump.exe -i 1 -w C:\foo\bar\dumpfile.cap.

You'll also want to hide the scheduled task's command window.