Sometimes our support team will ask you to create a Wireshark capture, so they can analyze the communication between Nx Server and a camera. In this article we will explain how to create such a capture and what to keep in mind when capturing the data.
Although it is possible to capture the communication indirectly, this article will provide instructions for situations where Wireshark is installed and running on the same device that the Nx Server application is running on.
What is Wireshark and how can I capture data?
Wireshark is a free and open-source packet analyzer application that is commonly used for network troubleshooting and analysis. It is a cross-platform application and available for Windows, macOS, and Linux.
You can start the capture by either double-clicking the correct network interface or single-clicking on the correct network interface and clicking on the blue shark fin on the top-left of the screen.
The correct interface is the interface that connects the server to the camera. If you have the choice between a wireless interface and a wired interface, it is preferred to use the wired interface since it provides a better quality capture with less clutter.
To collect the packets more efficiently, you can use the capture filter to grab only the specific communication you need, usually the communication between the Nx Witness Media Server Application and the camera or vice versa. To perform the filtered capture, please follow the steps below:
- Single-click the Network Interface and enter the Capture Filter in the applicable field by entering
host <camera-IP-address>For example: host 192.168.178.40
- Double-click the interface or press the Start button on the top left (the blue shark fin).
- When you finished the capture, stop the capture with the red square on the top-left of the screen.
- Now you click File and select Save As… and you give a proper name to the capture and you keep the extension as Wireshark/…-pcapng.
Important: Often we get the files created on the Nx Witness Desktop Client computer, instead of one from the Nx Witness Media Server. In this way the communication between the Nx Desktop Client and the Nx Media Server will be captured, while in most cases we like to investigate the communication between the Nx Witness Media Server and the camera or other video resources. So, unless explicitly asked, please, always run Wireshark on the device where the Nx Witness Media Server is running on.
What data should I capture?
Wireshark will create huge files in a short amount of time and with lots of lines to investigate. In order to find the proverbial needle in the haystack as quickly as possible. It is recommended to follow the steps below:
- Start Wireshark (with the capture filter enabled)
- Reproduce the issue
- Stop Wireshark
- Save the standard or filtered capture
- Share the standard or filtered capture
Sometimes it is difficult to reproduce a scenario and it wouldn't make sense to just let Wireshark run until it happened since this will increase the load on the server, but moreover will create a huge capture file which is impossible to work with. But there is a solution for that, you can set up a ring buffer.
A ring buffer is a feature where you can determine how many files Wireshark may create and how big they are allowed to be. In this way you can start Wireshark and let it run until the issue we want to investigate has occurred. Be aware that this will increase the load on the CPU and RAM.
How to set up a ring buffer
In order to set up a ring buffer a few steps are required.
- Go to Capture in the top center of the Wireshark application.
- Select Options or use the hotkeys Ctrl+K. Select the Output tab.
- Enable Create a new file automatically after…
- Change the field from kilobytes into megabytes and change the value to a maximum of 500.
- Enable Use a ring buffer with 10 files. In general, with 10 files you should be able to capture the moment and stop the capture in time before the ring buffer overwrites the files. If you fail to capture the moment, you might want to increase the value. But be aware that there is sufficient storage space available and that it doesn't affect the desired retention time of the video data of the Nx Server application.
It is recommended that when you set up a ring buffer that you get notified in time when the issue occurs. Often you can do that with the Nx Witness rules engine by selecting the appropriate Event and the preferred Action to get notified that the issue occurred.
It is important to stop the Wireshark capture in time, to prevent that the event is overwritten again. If you can't manage to stop the Wireshark capture in time, you can increase the number of files the ring buffer is allowed to create.
How to send us your Wireshark capture file(s)
Since the Wireshark capture files in general are too big to share as an attachment, it is recommended to share this via a cloud storage service like Google Drive, Microsoft Onedrive, Mega, NextCloud, OwnCloud, or alike. Also, emailing or sharing the file(s) via WeTransfer is possible. Please share the files uncompressed.
Please clarify the source of the IP addresses in the capture file, so we know immediately what the servers and the cameras are in the file.
If you have any questions related to this topic or you want to share your experience with other community members or our team, please visit and engage in our support community or reach out to your local reseller.