Lisa Bock demonstrates the Capture Options feature, including capture to a permanent file or use a ring buffer, along with selecting how to stop capture and list the file location.
- [Instructor] When capturing traffic with Wireshark, most of us are familiar with this interface, where we would go down below and select which interface we would like to begin a capture with. And we could even put in a capture filter. However, there are a few other capture options you should really become familiar with. Let's go up here to this Capture drop-down menu, and here we can go into Options, or we can use this icon and go to the Capture Interfaces.
Now, once we go in here, as you can see, this gives a list of interfaces. Now we can capture on all active interfaces if we like, but down below, we want to make sure that it says, enable promiscuous mode on all interfaces. Here we can put the capture filter for the selected interfaces, but we're not going to do that. What I wanna focus in on, is the output. Go to the Output and here we can capture to a permanent file. Now, when Wireshark runs, it's just saving it to a temporary file.
If you were to do something, for example, baselining, and you wanted to just simply run three captures for each subnetwork, you could do that. So here it first says, capture to a permanent file, and then where do you wanna put it. So we'll go to Browse, and we'll put on here Baseline. I put it on my desktop in a folder. And we'll say Save. Now, the next thing it says, how would you like this to be output.
Now you have a choice, pcap next generation, or plain pcap. Depending on where your gonna pull it into will make that difference. I generally use pcap next generation so I can put some comments. Down below, this is where you can say, create a file automatically after what. It could be determining how big it's going to be, for example, the size. Or how many seconds or minutes or even hours. I'm going to say 10 seconds.
That'll give us a nice sample. Now, this here, use a ring buffer, we'll talk about in just a second. Now let's go to the Options. Now, when we look at the Display Options, we'll keep those the same. Update the list of packets in real-time, and automatically scroll during live capture. The Name Resolution we'll keep the same as well. Now here's where we say, stop the capture after what. And this could be after so many packets, or after so many files.
I'm going to say after three files. So you have a choice in how you want these saved. Now it's all set up, let's let it run. When the screen goes blank, that means it's starting a new capture. Now we know it's complete, because we do not see the red square, and we know that the fin is active and it's ready to begin capturing again. But let's go ahead and take a look at the files. Now, we're right on the desktop, and I want you to take a look that there are three files.
Now, with that, you see the name of it, and we called it Baseline. And then we have here, and I'll put it in order, one, two, three. So it's sequencing, how many we want to run. But then after that, there's a number, and that's a time stamp. As you can see, that's 2018, and then the date, 7/23, and then the time, 20:32:10, which is 8:32 and 10 seconds. So that's how we save to a permanent file.
That's pretty simple, and again, this is something you could use while baselining. Now, we can also capture to a ring buffer. So we'll go back in, and what I'll do is, I'm gonna close this out so we have a blank screen. Now we'll go to Capture and then to Options as well, and now we'll take a look at our options for output. Now, in this case, capture to a permanent file, we're gonna leave that, and we're gonna uncheck this. And what we're going to say is use a ring buffer with, we'll say three files.
I'm gonna say Ring. And we'll say three files. And then here's our options, and stop capture after three files. So what a ring buffer will do, is just write over that ring buffer after so many whatever you're going to say, I'm gonna just say after five seconds so it runs fairly quickly. Ring buffer is great if you want this to keep running over and over and over again, in the case you're going to keep your screen up and you're looking for a particular protocol, or something that you're suspicious that someone perhaps gaming, and you set a coloring rule, and you can check to see if this happens.
Remember that unless you save it somewhere, it will consume all of your memory. So I'll just start it. And now that's stopped. Now, when you're taking a look at this, it has stopped, down below on the status bar, you see that Ring 00003, the third ring buffer file is complete. Now, if we were to run any more, it could continually write over and over and over the ring buffers if we didn't stop it. And here we go into our folder, and there you can see the three files that were created with the ring buffer.
So you have some choices with capture options. Of course you have your standard, where you select an interface and begin the capture, but there's also the ability to save files, either multiple files to a permanent file, or even a ring buffer
- Exporting packets and objects
- Edit, View, and Statistics menus
- Toolbars and icons
- Capture options
- Using the capture and display filters
- Finding and marking packets
- Personalizing the layout
- Creating configuration profiles
- Filter expressions and buttons