User Guide

Capturing Live Network Data

man page at http://www.tcpdump.org/tcpdump_man.html for more

details.

4.10.1. Automatic Remote Traffic Filtering

If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...), the

remote content has to be transported over the network, adding a lot of (usually unimportant) packets to

the actually interesting traffic.

To avoid this, Wireshark tries to figure out if it's remotely connected (by looking at some specific

environment variables) and automatically creates a capture filter that matches aspects of the connection.

The following environment variables are analyzed:

SSH_CONNECTION (ssh) <remote IP> <remote port> <local IP> <local port>

SSH_CLIENT (ssh) <remote IP> <remote port> <local port>

REMOTEHOST (tcsh, others?) <remote name>

DISPLAY (x11) [remote name]:<display num>

SESSIONNAME (terminal server) <remote name>

4.11. While a Capture is running ...

While a capture is running, the following dialog box is shown:

Figure 4.8. The "Capture Info" dialog box

This dialog box will inform you about the number of captured packets and the time since the capture was

started. The selection of which protocols are counted cannot be changed.

Tip!

This Capture Info dialog box can be hidden, using the "Hide capture info dialog" option in

the Capture Options dialog box.