When you initiate a capture in Wireshark (by selecting an interface and clicking the “Start Capture” icon), you have the opportunity to configure various Capture Options that influence how Wireshark acquires network traffic. Accessing these options before starting a capture allows you to optimize the process for your specific analysis needs.
To access the Capture Options, you typically select the desired network interface from the Wireshark welcome screen or the “Capture > Options…” menu. This will open the “Capture Options” dialog box, which is organized into several tabs. Here are the key settings you’ll find:
1. Interface:
- Interface: Lists the available network interfaces on your system. You must select the interface(s) from which you want to capture traffic. You can select multiple interfaces to capture traffic from several sources simultaneously.
- Promiscuous Mode: Check this box to enable promiscuous mode on the selected interface(s). As discussed earlier, this allows the NIC to capture all traffic on the local network segment (if supported by the hardware and operating system).
- Capture packets in monitor mode (if available): This option is specific to Wi-Fi interfaces and allows you to capture raw 802.11 frames, including management and control frames, which are not typically seen in managed mode. This is essential for in-depth wireless network analysis.
2. Output:
- Create a new file automatically after: Allows you to configure Wireshark to save the capture data into multiple files based on:
- Duration: Creates a new file after a specified number of seconds.
- Filesize: Creates a new file after the current file reaches a specified size (in kilobytes or megabytes).
- Number of packets: Creates a new file after a specified number of packets have been captured.
- Ring buffer with: Enables a ring buffer, where Wireshark continuously captures data and overwrites the oldest data when the buffer is full. You can specify the number of files to keep in the ring buffer. This is useful for continuous monitoring with limited storage.
- Use multiple files: If you enable automatic file creation or the ring buffer, you can specify a base filename for the capture files. Wireshark will append sequential numbers to the filename.
3. Capture Filter:
- This field allows you to enter a capture filter that will be applied during the capture process. Only packets that match this filter will be captured and stored by Wireshark. Using effective capture filters is crucial for:
- Reducing the amount of captured data: This saves disk space and processing resources.
- Focusing on relevant traffic: Makes analysis much easier by eliminating irrelevant packets.
- The syntax for capture filters is specific and different from display filters. We will delve into capture filter syntax in detail on the next page.
4. Resolved:
- Enable network name resolution: Toggles the resolution of IP addresses to hostnames.
- Enable transport name resolution: Toggles the resolution of port numbers to well-known service names.
- Enable MAC address resolution: Toggles the resolution of MAC addresses to vendor names (OUI lookups).
- While name resolution can make the output more human-readable, it can also generate additional network traffic (DNS queries) and potentially slow down the capture process, especially on busy networks. You can disable it during capture and enable it later for analysis if needed.
5. Statistics:
- Displays real-time statistics about the ongoing capture, such as the number of packets captured, the number of packets displayed (if a capture filter is active), and the rate of packet capture.
Starting a Capture with Options:
- Open Wireshark.
- Click on the “Capture Options” icon (usually a gear or settings icon) or go to “Capture > Options…”.
- In the “Capture Options” dialog box, select the desired network interface(s) on the “Interface” tab.
- Configure other options as needed, such as promiscuous mode, capture file settings on the “Output” tab, and most importantly, a Capture Filter on the “Capture Filter” tab.
- Click the “Start” button to begin capturing traffic with the specified options.
By carefully configuring the Capture Options before starting your capture, you can significantly improve the efficiency and relevance of the data you collect for your network analysis tasks. Pay close attention to selecting the correct interface and utilizing effective capture filters.
