64966: How to capture Wireshark logs on scheduled backups via pre/post-commands

Last update: Fri, 2020-08-14 10:24


This article describes how to capture Wireshark logs on scheduled backups in Windows, e.g. in case scheduled backup to Acronis Cloud fails.

For general instructions on using Wireshark see Collecting PCAP Logs with Wireshark


  1. Download the free Wireshark utility from http://www.wireshark.org/download.html and install Wireshark on the device.
  2. Note the installation folder with the executable, e.g. C:\Program Files\Wireshark
  3. Create a pre-backup and post-backup commands as specified on the attached screenshot. Make sure to adjust the working folder to the one noted at step 2.

  • name of the interface for the "-i" parameter can be defined through "wireshark -D" command or by running Wireshark and noting the interface name in the GUI
  • "-a duration:60" is to ensure the capture stops after 60 seconds and doesn't continue in case the backup runs for longer. Specify a duration at which the backup usually fails in seconds (60 for 1 minute, 900 for 15 minutes and so on - the larger the value, the larger the log).
  • specify the target file name for capture in "-w" parameter, e.g. D:\capture.pcap 
  • "-k" is to start capture immediately
  • "-H" to hide the interface
  • taskkill /im "wireshark.exe" /F is to make sure the wireshark process is killed after the backup succeeds - to avoid spawning multiple unneeded processes.

4. Uncheck all Fail the backup if command execution fails and Don't start options

5. On a successful backup the pre-backup command will end with a failure, this is expected because we forcefully kill the process. On a failed backup the post-backup command will not start which means you will need to kill the wireshark.exe manually. This doesn't affect the capture file in any way.

6. Provide the collected capture to Acronis Support.

More information

For more information see https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html