Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

4.7. Capture files and file modes
Prev Chapter 4. Capturing Live Network Data Next

4.7. Capture files and file modes

While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into the capture file(s) the user specified.

Different modes of operation are available when saving this packet data to the capture file(s).

[Tip] Tip!

Working with large files (several 100 MB's) can be quite slow. If you plan to do a long term capture or capturing from a high traffic network, think about using one of the "Multiple files" options. This will spread the captured packets over several smaller files which can be much more pleasant to work with.

[Note] Note!

Using Multiple files may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g. where data is exchanged at the establishing phase and only referred to in later packets). As it keeps this information only for the loaded file, using one of the multiple file modes may cut these contexts. If the establishing phase is saved in one file and the things you would like to see is in another, you might not see some of the valuable context related information.

[Tip] Tip!

Information about the folders used for the capture file(s), can be found in Appendix A, Files and Folders .

Table 4.1. Capture file mode selected by capture options

"File" option "Use multiple files" option "Ring buffer with n files" option Mode Resulting filename(s) used
- - - Single temporary file etherXXXXXX (where XXXXXX is a unique number)
foo.cap - - Single named file foo.cap
foo.cap x - Multiple files, continuous foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ...
foo.cap x x Multiple files, ring buffer foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ...
Single temporary file

A temporary file will be created and used (this is the default). After the capturing is stopped, this file can be saved later under a user specified name.

Single named file

A single capture file will be used. If you want to place the new capture file to a specific folder, choose this mode.

Multiple files, continuous

Like the "Single named file" mode, but a new file is created and used, after reaching one of the multiple file switch conditions (one of the "Next file every ..." values).

Multiple files, ring buffer

Much like "Multiple files continuous", reaching one of the multiple files switch conditions (one of the "Next file every ..." values) will switch to the next file. This will be a newly created file if value of "Ring buffer with n files" is not reached, otherwise it will replace the oldest of the formerly used files (thus forming a "ring").

This mode will limit the maximum disk usage, even for an unlimited amount of capture input data, keeping the latest captured data.

Prev Up Next
4.6. The "Interface Details" dialog box Home 4.8. Link-layer header type

 
 
  Published under the terms fo the GNU General Public License Design by Interspire