Datenshi Posted March 3, 2010 Share Posted March 3, 2010 (edited) I tried to find some decent documentation if this feature was available, but i couldn't find anything. Just to make sure is anyone aware of a filter or option in which to limit captures based on data? For example, I'm sniffing a network under heavy traffic, and so i thought a good idea to lessen the pressure was to start a capture once a specific package data was detect, then have it capture "everything" until another specific package data was detected, at which point it stops capturing until another "start" package was detected. This method would help if an application uses a specific port initially, but then randomly sends data during its usage. Such as the MSN protocol. What I'm trying to achieve is to isolate the capture to start when i Sign into msn, then capture all my traffic until i sign out. Edited March 3, 2010 by Datenshi Quote Link to comment Share on other sites More sharing options...
digip Posted March 3, 2010 Share Posted March 3, 2010 You can set pre-capture filters so it only saves specific data types while dropping the rest, but nothing to turn on/off at will. It only captures once on and will do so until you either stop it, or set a size limit for the capture file. Also, set it to capture to a file and turn off realtime updates, instead of running in memory. This way you dont lose any packets and you can analyze it afterwards. There is also the cli version of wireshark, I think its t-shark(included with wireshark), and you have a bit more control over things so you can create bat scripts for each data type you want to capture, then just run the script each time you want to capture for that data. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.