This post covers the steps to deploy Wireshark using SCCM (ConfigMgr). We will download the Wireshark .msi installer, create the application in ConfigMgr, and deploy it to Windows devices.
Wireshark is the world’s foremost and widely used network protocol analyzer. It’s basically a packet sniffer and analysis tool which captures network traffic on the local network and stores that data for offline analysis.
Wireshark tool reminds me of the days when I enrolled for CEH course. I have used this tool a lot, and it is a fantastic tool for network admins and ethical hackers. If you want to deploy Wireshark application to multiple computers SCCM makes your task easier. If you are using a tool apart from SCCM such as Intune, the deployment should be still easy and thanks to MSI installer.
The MSI installers make it easy to deploy the application using SCCM. With MSI installers, you don’t have to specify the install and uninstall commands, they will be automatically populated by SCCM. Furthermore, the detection methods are also created automatically with the help of product code. Thanks to Wireshark, that provides the .msi installer for enterprise deployments.
Download Wireshark (MSI installer)
If you go to Wireshark download page, you will probably download an executable (.exe) file. Although you can still package the application using the executable in SCCM, however if you get the Wireshark .msi installer, your effort will be reduced.
Luckily, Wireshark provides the .msi installer for mass deployments. You may not see it on the download page because the link to download is not provided. Don’t worry I have listed the download link for you. Visit the Wireshark automated download page and download the latest version of Wireshark .msi application. Save the Wireshark msi installer to sources folder on your SCCM server. You can also download Wireshark icon and assign it to the application later.
Create Wireshark Application in SCCM | ConfigMgr
Let’s create Wireshark application in SCCM. Launch the ConfigMgr console and go to Software Library\Overview\Application Management\Applications. Right click Applications and select Create Application.
Select Automatically detect information about this application from installation files. The type of application is Windows Installer (.msi file) and specify the Wireshark .msi installer path. Click Next.
The application details are populated from the Wireshark .msi installer.
Application name: Wireshark
Publisher: Wireshark
Software version:
Deployment type name: Wireshark - Windows Installer (*.msi file)
Product Code: {B6A6F6F7-5522-4487-9620-50D1D336C5A5}
Installation behavior: Install for system
Number of files: 2
Content files:
wireshark-icon.png
Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi
On the General Information screen, add more details about the Wireshark application. There is something important here about the Wireshark installation command.
The default installation command populated from the Wireshark .msi installer is as follows.
msiexec /i "Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi" /q
If you use the same command, the Wireshark application gets installed and there is a Pending hard reboot at the end of the installation. Yes, Wireshark restarts the computer to complete the installation. If you deploy the application as available, the application installs and force reboots the computer.
To avoid the hard reboot, you can append /norestart to the install command. This will prevent the Wireshark application restarting the computer after it’s installation.
Click Next.
Review the settings on Summary window and on Completion window, click Close. This completes the steps to create the Wireshark application in SCCM.
Before you deploy Wireshark using SCCM, you can set an icon for Wireshark application. The icon that you assign here will be visible in Software Center for users. To set an icon for Wireshark application, go to the application properties, click Software Center tab. At the bottom click Browse and choose the icon. Click Apply and OK.
Deploy Wireshark using SCCM (ConfigMgr)
We will now deploy the Wireshark application using SCCM to a device collection. For testing the application deployment, I advise building a device collection with a set of pilot devices. After confirming that the application was successfully installed, you can extend the deployment in Configuration Manager to additional device collections.
To make device collections in SCCM for Windows devices, you can use the following guides:
- Create Windows 10 device collection in SCCM
- Create Windows 11 device collections in Configuration Manager
To deploy the Wireshark application in SCCM console, go to Software Library > Application Management > Application. Right-click Wireshark application and select Deploy.
Click Browse and select a device collection to which you want to target the Wireshark application. Click Next.
On the content window, click Add and select your distribution points. The content must be present on distribution points for the clients to download the content. Click Next.
On the Deployment settings window, select Action as Install and Purpose as Available. Click Next.
Complete the remaining steps in the wizard and close the deploy software wizard. The steps to deploy Wireshark using SCCM is now complete.
Test Wireshark Application Deployment on Client Computers
In this step, we will verify if the Wireshark application deployment works correctly on the client computers. If you don’t see the Wireshark application in Software Center, you can download Computer Policy and run the Evaluate Application Deployments actions on client PC. Take a look at all the available Configuration Manager client actions.
Log in to a client computer, and launch the Software center. Click on the Applications tab and select the Wireshark application. On the Wireshark application details page, click Install. The application is now downloaded from the local distribution point server for installation.
You can monitor the Wireshark application installation progress by opening the AppEnforce.log. To know the location of this file and other files, refer to the SCCM Log files.
Matched exit code 0 to a Success entry in the exit codes table confirms that the Wireshark application has been installed successfully. The uninstall command that we specified during application packaging should work fine.
From the log file, we see that the Wireshark application installed without any issues. However, I had not used the /norestart switch in the install command which resulted in computer reboot.
+++ Starting Install enforcement for App DT "Wireshark - Windows Installer (*.msi file)" ApplicationDeliveryType - ScopeId_06D36399-9D0B-4B16-B66A-275A46020BC4/DeploymentType_1ea9280c-689b-46b6-8ba7-05f9148fdb5e, Revision - 1, ContentPath - C:\Windows\ccmcache\3, Execution Context - System
Performing detection of app deployment type Wireshark - Windows Installer (*.msi file)
+++ MSI application not discovered [MSI Product Code: {B6A6F6F7-5522-4487-9620-50D1D336C5A5}, MSI Product version: ]
App enforcement environment:
Context: Machine
Command line: msiexec /i "Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi" /q
Allow user interaction: No
UI mode: 0
User token: null
Session Id: 1
Content path: C:\Windows\ccmcache\3
Working directory: AppEnforce
Prepared working directory: C:\Windows\ccmcache\3
Found executable file msiexec with complete path C:\Windows\system32\msiexec.exe
Prepared command line: "C:\Windows\system32\msiexec.exe" /i "Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi" /q /qn
Valid MSI Package path = C:\Windows\ccmcache\3\Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi AppEnforce
Advertising MSI package [C:\Windows\ccmcache\3\Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi] to the system.
Executing Command line: "C:\Windows\system32\msiexec.exe" /i "Wireshark-win64-3.5.1rc0-55-g9cf6caee623e.msi" /q /qn with user context
Working directory C:\Windows\ccmcache\3
Post install behavior is BasedOnExitCode
Waiting for process 5700 to finish. Timeout = 120 minutes
Process 5700 terminated with exitcode: 1641
Looking for exit code 1641 in exit codes table
Matched exit code 1641 to a PendingHardReboot entry in exit codes table.
