This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Minimizing Capture File Size?

0

I've read http://wiki.wireshark.org/KnownBugs/OutOfMemory.

But it seems to beg the question of how one can minimize the size of the capture file.

All I care about are VOIP "INVITE" packets.

I've got a filter set: syslog.msg contains "INVITE sip:"

I think it's a "Capture" filter... but even though WireShark's window is only showing the desired packets (very, very few....) it seems to keep chugging along with the total packets.

So, bottom line, is there a way to make WireShark use that filter to not even add non-qualifying packets to it's file? That would enable the running of WireShark for very, very long periods of time without running out of memory.

asked 21 Feb '11, 13:45

PeteCress's gravatar image

PeteCress
16568
accept rate: 0%


2 Answers:

0

The filter syslog.msg contains "INVITE sip:" is not a capture filter, it is a display filter. That means that it doesn't filter out packets from getting into the trace, it only hides them from view. Capture filters are specified in the Capture Options dialog, not in the main window. Unfortunately I do not have a capture filter for you that does what you want to do, but maybe someone else can help you with that.

If nobody can come up with a capture filter you might consider doing a ring buffer capture and running tshark on the files to extract the packets you want every once in a while. That way you can prevent running out of disk space and extract the information you want.

answered 21 Feb '11, 14:22

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

Check out this page for a reference http://wiki.wireshark.org/CaptureFilters

Skip down to the line that starts "Capture HTTP Get" - use this sample as a guide.

To build this filter you'll need a packet capture that contains the kind of packet you're going to be looking for as a reference. In other words, do whatever you've done before and use the display filter you listed above - this should produce a few good representative packets. Click on the packet of interest, in Wireshark's middle frame expand the "Syslog message" tree, and look for the "Message: " line. In there you should see the "INVITE sip:" data, click on it. This should highlight an area of text in Wireshark's 3rd/bottom frame, this is the HEX viewer. You need to note into which HEX locations the characters "INVITE sip:" fall. In the only Syslog sample I have it appears that the syslog message starts in 0030. I ASSume that "INVITE sip:" would be located 0030-003a.

SO, you can start building the filter from there..

answered 22 Feb '11, 05:27

GeonJay's gravatar image

GeonJay
4705922
accept rate: 5%