Capturing live network data is one of the major features of Wireshark. The Wireshark capture engine provides the following features: Capture from different kinds of network hardware (Ethernet, Token Ring, ATM, ...). Stop the capture on different triggers like: amount of captured data, captured time, captured number of packets. Simultaneously show decoded packets while Wireshark keeps on capturing. Filter packets, reducing the amount of data to be captured, see . Capturing into multiple files while doing a long term capture, and in addition the option to form a ringbuffer of these files, keeping only the last x files, useful for a "very long term" capture, see . The capture engine still lacks the following features: Simultaneous capturing from multiple network interfaces (however, you can start multiple instances of Wireshark and merge capture files later). Stop capturing (or doing some other action), depending on the captured data.

Setting up Wireshark to capture packets for the first time can be tricky. A comprehensive guide "How To setup a Capture" is available at: &WiresharkWikiPage;/CaptureSetup. Here are some common pitfalls: You need to have root / Administrator privileges to start a live capture. You need to choose the right network interface to capture packet data from. You need to capture at the right place in the network to see the traffic you want to see. ... and a lot more!. If you have any problems setting up your capture environment, you should have a look at the guide mentioned above.

One of the following methods can be used to start capturing packets with Wireshark: You can get an overview of the available local interfaces using the " Capture Interfaces" dialog box, see or . You can start a capture from this dialog box, using (one of) the "Capture" button(s). You can start capturing using the " Capture Options" dialog box, see . If you have selected the right capture options before, you can immediately start a capture using the " Capture Start" menu / toolbar item. The capture process will start immediately. If you already know the name of the capture interface, you can start Wireshark from the command line and use the following: wireshark -i eth0 -k This will start Wireshark capturing on interface eth0, more details can be found at: .

When you select "Interfaces..." from the Capture menu, Wireshark pops up the "Capture Interfaces" dialog box as shown in or . As the "Capture Interfaces" dialog is showing live captured data, it is consuming a lot of system resources. Close this dialog as soon as possible to prevent excessive system load. This dialog box will only show the local interfaces Wireshark knows of. It will not show interfaces marked as hidden in . As Wireshark might not be able to detect all local interfaces, and it cannot detect the remote interfaces available, there could be more capture interfaces available than listed.

Device (Unix/Linux only) The interface device name. Description The interface description provided by the operating system, or the user defined comment added in . IP The first IP address Wireshark could resolve from this interface. If no address could be resolved (e.g. no DHCP server available), "unknown" will be displayed. If more than one IP address could be resolved, only the first is shown (unpredictable which one in that case). Packets The number of packets captured from this interface, since this dialog was opened. Will be greyed out, if no packet was captured in the last second. Packets/s Number of packets captured in the last second. Will be greyed out, if no packet was captured in the last second. Stop Stop a currently running capture. Start Start a capture on this interface immediately, using the settings from the last capture. Options Open the Capture Options dialog with this interface selected, see . Details (Microsoft Windows only) Open a dialog with detailed information about the interface, see . Help Show this help page. Close Close this dialog box.

When you select Start... from the Capture menu (or use the corresponding item in the "Main" toolbar), Wireshark pops up the "Capture Options" dialog box as shown in .

If you are unsure which options to choose in this dialog box, just try keeping the defaults as this should work well in many cases. You can set the following fields in this dialog box:

Interface This field specifies the interface you want to capture on. You can only capture on one interface, and you can only capture on interfaces that Wireshark has found on the system. It is a drop-down list, so simply click on the button on the right hand side and select the interface you want. It defaults to the first non-loopback interface that supports capturing, and if there are none, the first loopback interface. On some systems, loopback interfaces cannot be used for capturing (loopback interfaces are not available on Windows platforms). This field performs the same function as the -i <interface> command line option. IP address The IP address(es) of the selected interface. If no address could be resolved from the system, "unknown" will be shown. Link-layer header type Unless you are in the rare situation that you need this, just keep the default. For a detailed description, see Buffer size: n megabyte(s) Enter the buffer size to be used while capturing. This is the size of the kernel buffer which will keep the captured packets, until they are written to disk. If you encounter packet drops, try increasing this value. This option is only available on Windows platforms. Capture packets in promiscuous mode This checkbox allows you to specify that Wireshark should put the interface in promiscuous mode when capturing. If you do not specify this, Wireshark will only capture the packets going to or from your computer (not all packets on your LAN segment). If some other process has put the interface in promiscuous mode you may be capturing in promiscuous mode even if you turn off this option Even in promiscuous mode you still won't necessarily see all packets on your LAN segment, see for some more explanations. Limit each packet to n bytes This field allows you to specify the maximum amount of data that will be captured for each packet, and is sometimes referred to as the snaplen. If disabled, the default is 65535, which will be sufficient for most protocols. Some rules of thumb: If you are unsure, just keep the default value. If you don't need all of the data in a packet - for example, if you only need the link-layer, IP, and TCP headers - you might want to choose a small snapshot length, as less CPU time is required for copying packets, less buffer space is required for packets, and thus perhaps fewer packets will be dropped if traffic is very heavy. If you don't capture all of the data in a packet, you might find that the packet data you want is in the part that's dropped, or that reassembly isn't possible as the data required for reassembly is missing. Capture Filter This field allows you to specify a capture filter. Capture filters are discussed in more details in . It defaults to empty, or no filter. You can also click on the button labeled "Capture Filter", and Wireshark will bring up the Capture Filters dialog box and allow you to create and/or select a filter. Please see

An explanation about capture file usage can be found in . File This field allows you to specify the file name that will be used for the capture file. This field is left blank by default. If the field is left blank, the capture data will be stored in a temporary file, see for details. You can also click on the button to the right of this field to browse through the filesystem. Use multiple files Instead of using a single file, Wireshark will automatically switch to a new one, if a specific trigger condition is reached. Next file every n megabyte(s) Multiple files only: Switch to the next file after the given number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been captured. Next file every n minute(s) Multiple files only: Switch to the next file after the given number of second(s)/minutes(s)/hours(s)/days(s) have elapsed. Ring buffer with n files Multiple files only: Form a ring buffer of the capture files, with the given number of files. Stop capture after n file(s) Multiple files only: Stop capturing after switching to the next file the given number of times.

... after n packet(s) Stop capturing after the given number of packets have been captured. ... after n megabytes(s) Stop capturing after the given number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been captured. This option is greyed out, if "Use multiple files" is selected. ... after n minute(s) Stop capturing after the given number of second(s)/minutes(s)/hours(s)/days(s) have elapsed.

Update list of packets in real time This option allows you to specify that Wireshark should update the packet list pane in real time. If you do not specify this, Wireshark does not display any packets until you stop the capture. When you check this, Wireshark captures in a separate process and feeds the captures to the display process. Automatic scrolling in live capture This option allows you to specify that Wireshark should scroll the packet list pane as new packets come in, so you are always looking at the last packet. If you do not specify this, Wireshark simply adds new packets onto the end of the list, but does not scroll the packet list pane. This option is greyed out if "Update list of packets in real time" is disabled. Hide capture info dialog If this option is checked, the capture info dialog described in will be hidden.

Enable MAC name resolution This option allows you to control whether or not Wireshark translates MAC addresses into names, see . Enable network name resolution This option allows you to control whether or not Wireshark translates network addresses into names, see . Enable transport name resolution This option allows you to control whether or not Wireshark translates transport addresses into protocols, see .

Once you have set the values you desire and have selected the options you need, simply click on Start to commence the capture, or Cancel to cancel the capture. If you start a capture, Wireshark allows you to stop capturing when you have enough packets captured, for details see .

When you select Details from the Capture Interface menu, Wireshark pops up the "Interface Details" dialog box as shown in . This dialog shows various characteristics and statistics for the selected interface. This dialog is only available on Microsoft Windows

While capturing, the underlying libpcap capturing engine will grab the packets from the network card and keep the packet data in a (relatively) small kernel buffer. This data is read by Wireshark and saved into the capture file(s) the user specified. Different modes of operation are available when saving this packet data to the capture file(s). Working with large files (several 100 MB's) can be quite slow. If you plan to do a long term capture or capturing from a high traffic network, think about using one of the "Multiple files" options. This will spread the captured packets over several smaller files which can be much more pleasant to work with. Using Multiple files may cut context related information. Wireshark keeps context information of the loaded packet data, so it can report context related problems (like a stream error) and keeps information about context related protocols (e.g. where data is exchanged at the establishing phase and only referred to in later packets). As it keeps this information only for the loaded file, using one of the multiple file modes may cut these contexts. If the establishing phase is saved in one file and the things you would like to see is in another, you might not see some of the valuable context related information. Information about the folders used for the capture file(s), can be found in . "File" option "Use multiple files" option "Ring buffer with n files" option Mode Resulting filename(s) used - - - Single temporary file etherXXXXXX (where XXXXXX is a unique number) foo.cap - - Single named file foo.cap foo.cap x - Multiple files, continuous foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ... foo.cap x x Multiple files, ring buffer foo_00001_20040205110102.cap, foo_00002_20040205110102.cap, ... Single temporary file A temporary file will be created and used (this is the default). After the capturing is stopped, this file can be saved later under a user specified name. Single named file A single capture file will be used. If you want to place the new capture file to a specific folder, choose this mode. Multiple files, continuous Like the "Single named file" mode, but a new file is created and used, after reaching one of the multiple file switch conditions (one of the "Next file every ..." values). Multiple files, ring buffer Much like "Multiple files continuous", reaching one of the multiple files switch conditions (one of the "Next file every ..." values) will switch to the next file. This will be a newly created file if value of "Ring buffer with n files" is not reached, otherwise it will replace the oldest of the formerly used files (thus forming a "ring"). This mode will limit the maximum disk usage, even for an unlimited amount of capture input data, keeping the latest captured data.

In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe the exceptional cases, where selecting this type is possible, so you will have a guide of what to do: If you are capturing on an 802.11 device on some versions of BSD, this might offer a choice of "Ethernet" or "802.11". "Ethernet" will cause the captured packets to have fake Ethernet headers; "802.11" will cause them to have IEEE 802.11 headers. Unless the capture needs to be read by an application that doesn't support 802.11 headers, you should select "802.11". If you are capturing on an Endace DAG card connected to a synchronous serial line, this might offer a choice of "PPP over serial" or "Cisco HDLC"; if the protocol on the serial line is PPP, select "PPP over serial", and if the protocol on the serial line is Cisco HDLC, select "Cisco HDLC". If you are capturing on an Endace DAG card connected to an ATM network, this might offer a choice of "RFC 1483 IP-over-ATM" or "Sun raw ATM". If the only traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs to be read by an application that doesn't support SunATM headers, select "RFC 1483 IP-over-ATM", otherwise select "Sun raw ATM". If you are capturing on an Ethernet device, this might offer a choice of "Ethernet" or "DOCSIS". If you are capturing traffic from a Cisco Cable Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be captured, select "DOCSIS", otherwise select "Ethernet".

Wireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump man page, which can be hard to understand, so it's explained here to some extent. You will find a lot of Capture Filter examples at &WiresharkWikiCaptureFiltersPage;. You enter the capture filter into the Filter field of the Wireshark Capture Options dialog box, as shown in . The following is an outline of the syntax of the tcpdump capture filter language. See the expression option at the tcpdump manual page for details: . A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or) and optionally preceded by not: [not] primitive [and|or [not] primitive ...] An example is shown in . tcp port 23 and host 10.0.0.5 This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives and the and conjunction. Another example is shown in , and shows how to capture all telnet traffic except that from 10.0.0.5. tcp port 23 and not src host 10.0.0.5 XXX - add examples to the following list. A primitive is simply one of the following: [src|dst] host <host> This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected. ether [src|dst] host <ehost> This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected. gateway host <host> This primitive allows you to filter on packets that used host as a gateway. That is, where the Ethernet source or destination was host but neither the source nor destination IP address was host. [src|dst] net <net> [{mask <mask>}|{len <len>}] This primitive allows you to filter on network numbers. You can optionally precede this primitive with the keyword src|dst to specify that you are only interested in a source or destination network. If neither of these are present, packets will be selected that have the specified network in either the source or destination address. In addition, you can specify either the netmask or the CIDR prefix for the network if they are different from your own. [tcp|udp] [src|dst] port <port> This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The keywords tcp|udp must appear before src|dst. If these are not specified, packets will be selected for both the TCP and UDP protocols and when the specified address appears in either the source or destination port field. less|greater <length> This primitive allows you to filter on packets whose length was less than or equal to the specified length, or greater than or equal to the specified length, respectively. ip|ether proto <protocol> This primitive allows you to filter on the specified protocol at either the Ethernet layer or the IP layer. ether|ip broadcast|multicast This primitive allows you to filter on either Ethernet or IP broadcasts or multicasts. <expr> relop <expr> This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. Please see the tcpdump man page at for more details.

If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a terminal server, ...), the remote content has to be transported over the network, adding a lot of (usually unimportant) packets to the actually interesting traffic. To avoid this, Wireshark tries to figure out if it's remotely connected (by looking at some specific environment variables) and automatically creates a capture filter that matches aspects of the connection. The following environment variables are analyzed: SSH_CONNECTION (ssh) <remote IP> <remote port> <local IP> <local port> SSH_CLIENT (ssh) <remote IP> <remote port> <local port> REMOTEHOST (tcsh, others?) <remote name> DISPLAY (x11) [remote name]:<display num> SESSIONNAME (terminal server) <remote name>

While a capture is running, the following dialog box is shown:

This dialog box will inform you about the number of captured packets and the time since the capture was started. The selection of which protocols are counted cannot be changed. This Capture Info dialog box can be hidden, using the "Hide capture info dialog" option in the Capture Options dialog box.

A running capture session will be stopped in one of the following ways: Using the " Stop" button from the Capture Info dialog box . The Capture Info dialog box might be hidden, if the option "Hide capture info dialog" is used. Using the menu item "Capture/ Stop". Using the toolbar item " Stop". Pressing the accelerator keys: Ctrl+E. The capture will be automatically stopped, if one of the Stop Conditions is exceeded, e.g. the maximum amount of data was captured.

A running capture session can be restarted with the same capture options as the last time, this will remove all packets previously captured. This can be useful, if some uninteresting packets are captured and there's no need to keep them. Restart is a convenience function and equivalent to a capture stop following by an immediate capture start. A restart can be triggered in one of the following ways: Using the menu item "Capture/ Restart". Using the toolbar item " Restart".