Hello, I'm a naive user of Wireshark tool. Normally when we start capturing packets over specific interface, Wireshark will captures all packets over the interface and then we have to apply ip filters to view the data to/from specific ip. Is there any way where we can capture packets to/from only specific ip and save it to file rather than capturing all the packets and applying filters. Thank you. asked 09 Oct '12, 12:11 dvsrk edited 09 Oct '12, 12:26 |
One Answer:
Sure, just use capture filters, for example "host 192.168.1.1" to capture everything to and from IP 192.168.1.1. You can set them in the capture dialog (pre 1.8) or for each interface starting with 1.8 (by double clicking the interface line in the capture dialog). For more filters see http://wiki.wireshark.org/CaptureFilters answered 09 Oct '12, 12:34 Jasper ♦♦ |
Thanks Jasper for the quick response.
I added the filter and now it is capturing only data for specific ips. do we have any options to auto save that data to specific location.
not a problem, open the capture options and enter a file name in the "Capture File(s)" panel. You should probably capture to multiple files (for example to a new one each 64MB) because otherwise Wireshark might crash after a while if you capture a lot of frames.
You might also want to check out dumpcap, which is installed together with Wireshark and which actually does the capture for Wireshark whenever you start a capture. dumpcap -h tells you all parameters you might need to know.
These are probably derived from environment variables. These are educated guesses on things as remote display sessions, etc. If you're running everything local you can erase them.
I'm able to save the data to a file. Thank you so much.
I have one more ask for you. Do we have any specific display filter where i can find the response time from the host we are capturing the packets. Is there any way we can capture the response time from specific ip address.
From the data I'm capturing i can see TCP & TLSV1 protocols.
I think that's not really a filter issue, it is more of a timing column issue, even though you can filter on things like "frame.time_delta > 1.0", but that rarely helps. Best is usually to isolate a tcp flow by conversation filter (popup menu on a packet of the conversation) and then set the time column to display delta time from previous frame.