I'm running a test that transfers large files on/off the test machine (which is running Wireshark). Need to run overnight (cycles files every 30 minutes) and the logging in Wireshark fills the machine too quickly and makes Wireshark unusable. I'd like to filter all file contents (but maintain the transfer time for the file copy), before it gets captured. I'm trying to isolate the network traffic when the file transfers intermittently take much longer than expected. Any suggestions or pointers to filter file contents on the way into the log are appreciated. thanks asked 17 Oct '16, 13:16  WayneConnection |
One Answer:
There is the option to set the snap length on the interface you capture on to less than the default value of 65535. This allows you to keep the start of all packets (retaining timing and header info) while leaving (most of the) payload (file data) for what it is. This limits the capture file size. You'll have to tune this parameter to your particular needs. answered 17 Oct '16, 22:19  Jaap ♦ Cmaynard: I was looking "how to isolate only the packets of interest in order to limit the amount of data captured" - thanks for the follow-up Jaap: This did the trick. Thanks for both your quick responses, I'm new to wireshark and this saved lots of time. (18 Oct '16, 05:55) WayneConnection |
Can you please clarify your question?
Are you asking for how to isolate only the packets of interest in order to limit the amount of data captured, or are you trying to run Wireshark for only as long as it takes for the file transfer to occur and then stop capturing and only retain the file if the time exceeded some threshold for data transfer? Or are you looking to do something else?