This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Prevent capture of file contents

0

I'm running a test that transfers large files on/off the test machine (which is running Wireshark). Need to run overnight (cycles files every 30 minutes) and the logging in Wireshark fills the machine too quickly and makes Wireshark unusable.

I'd like to filter all file contents (but maintain the transfer time for the file copy), before it gets captured. I'm trying to isolate the network traffic when the file transfers intermittently take much longer than expected.

Any suggestions or pointers to filter file contents on the way into the log are appreciated.

thanks

asked 17 Oct '16, 13:16

WayneConnection's gravatar image

WayneConnection
6113
accept rate: 0%

Can you please clarify your question?

Are you asking for how to isolate only the packets of interest in order to limit the amount of data captured, or are you trying to run Wireshark for only as long as it takes for the file transfer to occur and then stop capturing and only retain the file if the time exceeded some threshold for data transfer? Or are you looking to do something else?

(17 Oct '16, 16:45) cmaynard ♦♦

One Answer:

1

There is the option to set the snap length on the interface you capture on to less than the default value of 65535. This allows you to keep the start of all packets (retaining timing and header info) while leaving (most of the) payload (file data) for what it is. This limits the capture file size. You'll have to tune this parameter to your particular needs.

answered 17 Oct '16, 22:19

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Cmaynard: I was looking "how to isolate only the packets of interest in order to limit the amount of data captured" - thanks for the follow-up

Jaap: This did the trick. Thanks for both your quick responses, I'm new to wireshark and this saved lots of time.

(18 Oct '16, 05:55) WayneConnection