Version 20190320-1, EA, Wrote initial document. Background ---------- The included scripts capture Cisco AnyConnect sessions to PCAP files in "C:\captures\pcap". Four scheduled tasks are installed. Two tasks are triggered by events written to the Cisco AnyConnect Event Log when VPN connections are started and stopped. The two non-Event Log-triggered tasks are called by the Event Log-triggered tasks (and are separate to allow for debugging / testing without repeatedly stopping and restarting the VPN connection). The Cisco AnyConnect adapter is dynamically located by parsing the output of "ipconfig /all", which is in turn used to select the proper interface for "dumpcap.exe" to capture on. When the VPN connection is stopped "dumpcap.exe" is killed. Logs of the task execution are written to "C:\captures\dumpcap.log". Requirements ------------ Requires a recent version of Wireshark, either 32 or 64-bit (tested with 64-bit verison 2.6.4 (v2.6.4-0-g29d48ec8) on Windows 10, and 32-bit version v1.12.8-0-g5b6e543 on Windows 7). The Wireshark path will be detected from the registry. The scripts assume that a "C:\" path is available (and are not written to handle writing to any path other than "C:\captures\pcap"). Installation ------------ Unzip the "captures.zip" file to the ROOT of "C:". This will create and populate the "C:\captures\..." folder hierarchy. Open an elevated command prompt. If you attempt to run this via windows explorer, the script will fail. Run the "c:\captures\bin\Install_Remove_Tasks.cmd" script elevated (i.e. "Run as Administrator") and choose the "I" option to install the tasks. Operation --------- After starting a Cisco AnyConnect session a "C:\captures\dumpcap.log" file will be created (or appended-to if it already exists). Depending on the number of network interfaces on the machine it may take several seconds before a PCAP file begins to be written in the "C:\captures\pcap" folder. Removal ------- Run the "c:\captures\bin\Install_Remove_Tasks.cmd" script elevated (i.e. "Run as Administrator") and choose the "R" option to remove the tasks. Delete the "C:\captures" folder hierarchy.