User Guide
Chapter 4. Capturing Live Network
Data
4.1. Introduction
Capturing live network data is one of the major features of Wireshark.
The Wireshark capture engine provides the following features:
• Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...).
• Stop the capture on different triggers like: amount of captured data, captured time, captured
number of packets.
• Simultaneously show decoded packets while Wireshark keeps on capturing.
• Filter packets, reducing the amount of data to be captured, see Section 4.9, “Filtering while cap-
turing”.
• Capturing into multiple files while doing a long term capture, and in addition the option to form
a ringbuffer of these files, keeping only the last x files, useful for a "very long term" capture, see
Section 4.7, “Capture files and file modes”.
The capture engine still lacks the following features:
• Simultaneous capturing from multiple network interfaces (however, you can start multiple in-
stances of Wireshark and merge capture files later).
• Stop capturing (or doing some other action), depending on the captured data.
62