Here's a guide on how to setup a Wireshark capture.
In this scenario, we want to leave it running for a certain duration, and coming back to retrieve the snoop traces when an special data traffic event happens.
A. Increase the memory buffer size, this is to avoid packet drops during capture.
B. Choose the directory and file name for the snoop traces.
C. Enable 'use multiple files". You want the capture files to be in manageable file sizes. The file name chosen in B. will be appended with an incremental counter and the timestamp of the start time of the capture for each respective file.
D. Here is where you can limit the file size of each capture file. Alternatively, you can choose to start a new capture file using a specific time duration, example: every 15 minutes.
E. Unless you have unlimited storage space to store all the collected snoop traces, I suggest that you enable the "Ring buffer with" option. In this example, we limit it to 100 files. For the 101st and subsequent file, it will override the capture file with the oldest timestamp.
F. This is optional. If you really want to watch the captured packets scrolling by on your display, then leave the options enabled. Otherwise, you can disable "Update list of packets in real-time". To avoid packet drops during capture, disable it.
G. With all of the above done, you are now ready to click the "Start" button. Go on and click it.
After the capture is started, you will notice a status bar near the bottom of the Wireshark screen. To know if packets are being captured, the "Packets" counter will be incrementing.
In addition, you can go to the directory where you have chosen to store the capture files, and check if capture files are being created. Refresh the directory to see if the file size of the current capture file is increasing.
Office Work
6 years ago
Post a Comment