Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
61626364656667686970
Capturing Live Network Data
53
Warning
This is an experimental feature. The resulting
saved file may or may not be valid. See http:
//wiki.wireshark.org/Development/PcapNg for more
details on pcap-ng.
Limit each packet to n bytes This field allows you to specify the maximum amount of data that
will be captured for each packet, and is sometimes referred to as the
snaplen. If disabled, the value is set to the maximum 65535, which
will be sufficient for most protocols. Some rules of thumb:
If you are unsure, just keep the default value.
If you don't need all of the data in a packet - for example, if you
only need the link-layer, IP, and TCP headers - you might want
to choose a small snapshot length, as less CPU time is required
for copying packets, less buffer space is required for packets,
and thus perhaps fewer packets will be dropped if traffic is very
heavy.
If you don't capture all of the data in a packet, you might find
that the packet data you want is in the part that's dropped, or that
reassembly isn't possible as the data required for reassembly is
missing.
Capture Filter This field allows you to specify a capture filter. Capture filters
are discussed in more details in Section 4.10, “Filtering while
capturing”. It defaults to empty, or no filter.
You can also click on the button labeled "Capture Filter", and
Wireshark will bring up the Capture Filters dialog box and allow
you to create and/or select a filter. Please see Section 6.6, “Defining
and saving filters”
Compile BPF This button allows you to compile the capture filter into BPF code
and pop up a window showing you the resulting pseudo code. This
can help in understanding the working of the capture filter you
created.
4.5.2. Capture File(s) frame
An explanation about capture file usage can be found in Section 4.8, “Capture files and file modes”.
File This field allows you to specify the file name that will be used for
the capture file. This field is left blank by default. If the field is
left blank, the capture data will be stored in a temporary file, see
Section 4.8, “Capture files and file modes” for details.
You can also click on the button to the right of this field to browse
through the filesystem.
Use multiple files Instead of using a single file, Wireshark will automatically switch
to a new one, if a specific trigger condition is reached.