This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing headers only

1

Does anyone have a simple filter for capturing headers only.

asked 19 May '11, 05:37

mooseman's gravatar image

mooseman
16112
accept rate: 0%


One Answer:

5

You can try to go with slicing the frames to the first # of bytes, but there is no simple filter that will exactly capture certain headers only afaik.

Just open the capture options and put a check mark next to "Limit each packet to" and put in the number of bytes you want to capture. Usually you should go for at least 54 bytes (14 bytes Ethernet header, 20 IP, 20 TCP, unless IP or TCP are using a lot of optional "Option" headers). For SMB and other higher protocol header you'll need to go for 128 or even more bytes.

answered 19 May '11, 05:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Wireshark filters (both capture and display filters) only select which packets to capture or display, they do not select which information within a packet to display. So it is not possible to use a filter to only show certain headers. The only way to limit this is to actually cut the extra data of as Jasper has explained.

(19 May '11, 06:06) SYN-bit ♦♦

I am using the 1.8.3 version and I am having the same problem, I want to capture only the headers not the payload. I am having a hard time finding the option to limit each packet in this new version of Wireshark. Can anyone help me with that?

(09 Nov '12, 07:54) mikidi

open the capture options dialog and double click on the network card row of the card you want to use.

(09 Nov '12, 07:59) Jasper ♦♦