Wireshark - 1.9 Mode D'Emploi
Capturing Live Network Data
66
Different modes of operation are available when saving this packet data to the capture file(s).
Tip!
Working with large files (several 100 MB's) can be quite slow. If you plan to do a long term
capture or capturing from a high traffic network, think about using one of the "Multiple files"
options. This will spread the captured packets over several smaller files which can be much
more pleasant to work with.
capture or capturing from a high traffic network, think about using one of the "Multiple files"
options. This will spread the captured packets over several smaller files which can be much
more pleasant to work with.
Note!
Using Multiple files may cut context related information. Wireshark keeps context
information of the loaded packet data, so it can report context related problems (like a stream
error) and keeps information about context related protocols (e.g. where data is exchanged
at the establishing phase and only referred to in later packets). As it keeps this information
only for the loaded file, using one of the multiple file modes may cut these contexts. If the
establishing phase is saved in one file and the things you would like to see is in another, you
might not see some of the valuable context related information.
information of the loaded packet data, so it can report context related problems (like a stream
error) and keeps information about context related protocols (e.g. where data is exchanged
at the establishing phase and only referred to in later packets). As it keeps this information
only for the loaded file, using one of the multiple file modes may cut these contexts. If the
establishing phase is saved in one file and the things you would like to see is in another, you
might not see some of the valuable context related information.
Tip!
Information about the folders used for the capture file(s), can be found in
.
Table 4.1. Capture file mode selected by capture options
"File" option
"Use
multiple
files" option
"Ring buffer with
n files" option
n files" option
Mode
Resulting
filename(s)
used
-
-
-
Single temporary
file
file
wiresharkXXXXXX
(where XXXXXX is a
unique number)
(where XXXXXX is a
unique number)
foo.cap
-
-
Single named file foo.cap
foo.cap
x
-
Multiple
files,
continuous
foo_00001_20100205110102.cap,
foo_00002_20100205110318.cap, ...
foo_00002_20100205110318.cap, ...
foo.cap
x
x
Multiple
files,
ring buffer
foo_00001_20100205110102.cap,
foo_00002_20100205110318.cap, ...
foo_00002_20100205110318.cap, ...
Single temporary file
A temporary file will be created and used (this is the default). After
the capturing is stopped, this file can be saved later under a user
specified name.
the capturing is stopped, this file can be saved later under a user
specified name.
Single named file
A single capture file will be used. If you want to place the new
capture file to a specific folder, choose this mode.
capture file to a specific folder, choose this mode.
Multiple files, continuous
Like the "Single named file" mode, but a new file is created and
used, after reaching one of the multiple file switch conditions (one
of the "Next file every ..." values).
used, after reaching one of the multiple file switch conditions (one
of the "Next file every ..." values).
Multiple files, ring buffer
Much like "Multiple files continuous", reaching one of the multiple
files switch conditions (one of the "Next file every ..." values) will
switch to the next file. This will be a newly created file if value of
"Ring buffer with n files" is not reached, otherwise it will replace
the oldest of the formerly used files (thus forming a "ring").
files switch conditions (one of the "Next file every ..." values) will
switch to the next file. This will be a newly created file if value of
"Ring buffer with n files" is not reached, otherwise it will replace
the oldest of the formerly used files (thus forming a "ring").