I've tried selecting the "Limit each packet to" field checkbox so I can slice off the amount of data captured so my capture files will be smaller. I don't need all the payload, but all the headers really. I'm using wireshark version 1.6.8. I can check the box and start capturing, but the packets are still full size. asked 19 Feb '13, 09:40 dja0301 |
2 Answers:
Are you sure the packets are full size? The Packet Length column will show the full frame size, even if the full frame wasn't captured. I just did a test capture using Wireshark 1.8.5 with "Limit each packet to" set to 100 bytes. I'm looking at a frame that's listed as 1066 bytes in the Packet Length column. However, in the Frame section of the Packet Details pane, I see "1066 bytes on wire (8528 bits), 100 bytes captured (800 bits) on interface 0." I also see "[Packet size limited during capture]" in the Info column of the Packet List pane. Check the Frame section and see if the packet really is full size. If it is, I suggest upgrading to the latest stable version of Wireshark (1.8.5). answered 19 Feb '13, 12:26 Jim Aragon |
Are you sure? Keep in mind that Wireshark will of course still show the actual packet size in the length column, but if you take a look at the first decoded layer you'll see that it says something like "1514 bytes on wire, 64 bytes captured" (for a packet that had originally 1514 bytes (plus FCS) and was limited to 64 bytes at capture). Wireshark will still show and use the size of the full packet for all statistics and displays, but the payload isn't there if it was cut short. Also, you should notice that your capture files are quite small when you do sliced captures. answered 19 Feb '13, 12:28 Jasper ♦♦ |
2 minutes faster, almost the same text :)
Nice answer!
Thanks for the answers. You spot on... I was looking at the length column and didn't see that actual captured amount is restricted to what I provisioned. Thanks guys! I appreciate the answers.