Chapter 4. Capturing Live Network Data

Wireshark 2.1

previous page next page

Chapter 4. Capturing Live Network Data

Table of Contents

4.1. Introduction

4.2. Prerequisites

4.3. Start Capturing

4.4. The “Capture Interfaces” dialog box

4.5. The “Capture Options” dialog box

4.5.1. Capture frame
4.5.2. Capture File(s) frame
4.5.3. Stop Capture… frame
4.5.4. Display Options frame
4.5.5. Name Resolution frame
4.5.6. Buttons

4.6. The “Edit Interface Settings” dialog box

4.7. The “Compile Results” dialog box

4.8. The “Add New Interfaces” dialog box

4.8.1. Add or remove pipes
4.8.2. Add or hide local interfaces
4.8.3. Add or hide remote interfaces

4.9. The “Remote Capture Interfaces” dialog box

4.9.1. Remote Capture Interfaces
4.9.2. Remote Capture Settings

4.10. The “Interface Details” dialog box

4.11. Capture files and file modes

4.12. Link-layer header type

4.13. Filtering while capturing

4.13.1. Automatic Remote Traffic Filtering
4.13.2. Stop the running capture
4.13.3. Restart a running capture

4.1. Introduction

Capturing live network data is one of the major features of Wireshark.

The Wireshark capture engine provides the following features:

Capture from different kinds of network hardware such as Ethernet or 802.11.
Stop the capture on different triggers such as the amount of captured data, elapsed time, or the number of packets.
Simultaneously show decoded packets while Wireshark is capturing.
Filter packets, reducing the amount of data to be captured. See Section 4.13, “Filtering while capturing”.
Save packets in multiple files while doing a long term capture, optionally rotating through a fixed number of files (a “ringbuffer”). See Section 4.11, “Capture files and file modes”.
Simultaneously capture from multiple network interfaces.

The capture engine still lacks the following features:

Stop capturing (or perform some other action) depending on the captured data.

previous page start next page

Get in touch

Submit feedback about this site to:

[email protected]