This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Limiting Packet Captures?

0

Watching tutorials and reading Guides has helped much but I've noticed that the instructors on said tutorial/guide don't capture as many packets as I do when I run my chosen Capture Interface. When I start Wireshark and go to the Capture Interface list it displays 1 single Interface, Assuming this is the one for me I instantly notice a difference between Theirs and Mine. Mine is already Capturing packets: the Packets column will continue to rise (Up to 26,00 captures) while the Packets/s will grow to 10 or so then drop back to 0. while I look on theirs they may have 10 or even none. When I select my Interface I get a over flow of capture packets which continues to capture more and more. Making it super difficult to weed out the useful stuff.

asked 12 Jan '12, 08:43

n09a's gravatar image

n09a
1112
accept rate: 0%

edited 12 Jan '12, 12:10

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

Further More, Most of what I'm capturing is "1514 Continuation Non-HTTP traffic" any suggestions?

(12 Jan '12, 08:57) n09a

(Converted to a comment in keeping with the way this site works. Please see the FAQ).

(12 Jan '12, 09:01) Bill Meier ♦♦

One Answer:

0

Welcome to the world of network analysis !

I remember being surprised at the sheer amount of stuff going on from/to my PC when I first did a capture.

Display (and Capture) filters can help you to filter out unwanted stuff so as to focus on the "useful stuff".

answered 12 Jan '12, 08:58

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 12 Jan '12, 09:01

I've learned little with filtering. But I do know how to.. hehe. Any way I can filter through HTTP captures so I can only view Posts?

(12 Jan '12, 09:01) n09a

I suspect using a display filter like http.request.method=="POST" will work.

You can learn about possible field names to filter on by selecting a field in the "details" pane and then looking at the status line at the bottom of the Wireshark Window to see the name of the field.

(12 Jan '12, 09:12) Bill Meier ♦♦