1// WSUG Chapter Capture 2 3[[ChapterCapture]] 4 5== Capturing Live Network Data 6 7[[ChCapIntroduction]] 8 9=== Introduction 10 11Capturing live network data is one of the major features of Wireshark. 12 13The Wireshark capture engine provides the following features: 14 15* Capture from different kinds of network hardware such as Ethernet or 802.11. 16 17* Simultaneously capture from multiple network interfaces. 18 19* Stop the capture on different triggers such as the amount of captured data, 20 elapsed time, or the number of packets. 21 22* Simultaneously show decoded packets while Wireshark is capturing. 23 24* Filter packets, reducing the amount of data to be captured. See 25 <<ChCapCaptureFilterSection>>. 26 27* Save packets in multiple files while doing a long term capture, optionally 28 rotating through a fixed number of files (a “ringbuffer”). See 29 <<ChCapCaptureFiles>>. 30 31The capture engine still lacks the following features: 32 33* Stop capturing (or perform some other action) depending on the captured data. 34 35[[ChCapPrerequisitesSection]] 36 37=== Prerequisites 38 39Setting up Wireshark to capture packets for the first time can be 40tricky. A comprehensive guide “How To setup a Capture” is available at 41{wireshark-wiki-url}CaptureSetup. 42 43Here are some common pitfalls: 44 45* You may need special privileges to start a live capture. 46 47* You need to choose the right network interface to capture packet data from. 48 49* You need to capture at the right place in the network to see the traffic you 50 want to see. 51 52If you have any problems setting up your capture environment you should have a 53look at the guide mentioned above. 54 55[[ChCapCapturingSection]] 56 57=== Start Capturing 58 59The following methods can be used to start capturing packets with Wireshark: 60 61* You can double-click on an interface in the <<ChCapInterfaceSection,welcome screen>>. 62 63* You can select an interface in the <<ChCapInterfaceSection,welcome screen>>, then select menu:Capture[Start] or click the first toolbar button. 64 65* You can get more detailed information about available interfaces using <<ChCapCaptureOptions>> (menu:Capture[Options...]). 66 67* If you already know the name of the capture interface you can start Wireshark from the command line: 68-- 69---- 70$ wireshark -i eth0 -k 71---- 72-- 73This will start Wireshark capturing on interface `eth0`. More details can be found at <<ChCustCommandLine>>. 74 75[[ChCapInterfaceSection]] 76 77=== The “Capture” Section Of The Welcome Screen 78 79When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces. 80Network activity for each interface will be shown in a sparkline next to the interface name. 81It is possible to select more than one interface and capture from them simultaneously. 82 83[[ChCapCaptureInterfacesMainWin32]] 84 85.Capture interfaces on Microsoft Windows 86image::wsug_graphics/ws-capture-interfaces-main-win32.png[{screenshot-attrs}] 87 88[[ChCapCaptureInterfacesMainMacos]] 89 90.Capture interfaces on macOS 91image::wsug_graphics/ws-capture-interfaces-main-macos.png[{screenshot-attrs}] 92 93Some interfaces allow or require configuration prior to capture. 94This will be indicated by a configuration icon 95(image:wsug_graphics/toolbar/x-capture-options.png[height=16,width=16]) 96to the left of the interface name. 97Clicking on the icon will show the configuration dialog for that interface. 98 99Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter. 100 101Wireshark isn't limited to just network interfaces -- on most systems you can also capture USB, Bluetooth, and other types of packets. 102Note also that an interface might be hidden if it’s inaccessible to Wireshark or if it has been hidden as described in <<ChManageInterfacesSection>>. 103 104[[ChCapCaptureOptions]] 105 106=== The “Capture Options” Dialog Box 107 108When you select menu:Capture[Options...] (or use the corresponding item in the 109main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in 110<<ChCapCaptureOptionsDialog>>. 111If you are unsure which options to choose in this dialog box, leaving the defaults settings as they are should work well in many cases. 112 113[[ChCapCaptureOptionsDialog]] 114.The “Capture Options” input tab 115image::wsug_graphics/ws-capture-options.png[{screenshot-attrs}] 116 117The “Input” tab contains the the “Interface” table, which shows the following columns: 118 119Interface:: 120The interface name. 121 122Traffic:: 123A sparkline showing network activity over time. 124 125Link-layer Header:: 126The type of packet captured by this interface. 127In some cases it is possible to change this. 128See <<ChCapLinkLayerHeader>> for more details. 129 130Promiscuous:: 131Lets you put this interface in promiscuous mode while capturing. 132Note that another application might override this setting. 133 134Snaplen:: 135The snapshot length, or the number of bytes to capture for each packet. 136You can set an explicit length if needed, e.g. for performance or privacy reasons. 137 138Buffer:: 139The size of the kernel buffer that is reserved for capturing packets. 140You can increase or decrease this as needed, but the default is usually sufficient. 141 142Monitor Mode:: 143Lets you capture full, raw 802.11 headers. 144Support depends on the interface type, hardware, driver, and OS. 145Note that enabling this might disconnect you from your wireless network. 146 147Capture Filter:: 148The capture filter applied to this interface. 149You can edit the filter by double-clicking on it. 150See <<ChCapCaptureFilterSection>> for more details about capture filters. 151 152Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses. 153 154If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings above will be overridden. 155 156“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same time. 157 158btn:[Manage Interfaces] opens the <<ChCapManageInterfacesDialog>> where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added. 159 160btn:[Compile Selected BPFs] opens <<ChCapCompiledFilterOutputDialog>>, which shows you the compiled bytecode for your capture filter. 161This can help to better understand the capture filter you created. 162 163 164[TIP] 165.Linux power user tip 166==== 167The execution of BPFs can be sped up on Linux by turning on BPF Just In Time compilation by executing 168 169---- 170$ echo 1 >/proc/sys/net/core/bpf_jit_enable 171---- 172 173if it is not enabled already. To make the change persistent you can use 174link:{sysfs-main-url}[sysfsutils]. 175==== 176 177.The “Capture Options” output tab 178image::wsug_graphics/ws-capture-options-output.png[{screenshot-attrs}] 179 180The “Output” tab shows the following information: 181 182Capture to a permanent file:: 183 184File::: 185This field allows you to specify the file name that will be used for the capture file. 186It is left blank by default. 187If left blank, the capture data will be stored in a temporary file. 188See <<ChCapCaptureFiles>> for details. 189You can also click on the button to the right of this field to browse through the filesystem. 190 191Output format::: 192Allows you to set the format of the capture file. 193pcapng is the default and is more flexible than pcap. 194pcapng might be required, e.g. if more than one interface is chosen for capturing. 195See {wireshark-wiki-url}Development/PcapNg for more details on pcapng. 196 197Create a new file automatically...:: 198Sets the conditions for switching a new capture file. 199A new capture file can be created based on the following conditions: 200 * The number of packets in the capture file. 201 * The size of the capture file. 202 * The duration of the capture file. 203 * The wall clock time. 204 205Use a ring buffer with:: 206Multiple files only. 207Form a ring buffer of the capture files with the given number of files. 208 209More details about capture files can be found in <<ChCapCaptureFiles>>. 210 211.The “Capture Options” options tab 212image::wsug_graphics/ws-capture-options-options.png[{screenshot-attrs}] 213 214The “Options” tab shows the following information: 215 216Display Options:: 217 218Update list of packets in real-time::: 219Updates the packet list pane in real time during capture. 220If you do not enable this, Wireshark will not display any packets until you stop the capture. 221When you check this, Wireshark captures in a separate process and feeds the captures to the display process. 222 223Automatically scroll during live capture::: 224Scroll the packet list pane as new packets come in, so you are always looking at the most recent packet. 225If you do not specify this Wireshark adds new packets to the packet list but does not scroll the packet list pane. 226This option is greyed out if “Update list of packets in real-time” is disabled. 227 228Show capture information during capture::: 229If this option is enabled, the capture information dialog described in <<ChCapRunningSection>> will be shown while packets are captured. 230 231Name Resolution:: 232 233Resolve MAC addresses::: 234Translate MAC addresses into names. 235 236Resolve network names::: 237Translate network addresses into names. 238 239Resolve transport names::: 240Translate transport names (port numbers). 241 242See <<ChAdvNameResolutionSection>> for more details on each of these options. 243 244Stop capture automatically after...:: 245 246Capturing can be stopped based on the following conditions: 247 248* The number of packets in the capture file. 249* The number of capture files. 250* The capture file size. 251* The capture file duration. 252 253You can click btn:[Start] from any tab to commence the capture or btn:[Cancel] to apply your changes and close the dialog. 254 255[[ChManageInterfacesSection]] 256 257=== The “Manage Interfaces” Dialog Box 258 259[[ChCapManageInterfacesDialog]] 260.The “Manage Interfaces” dialog box 261image::wsug_graphics/ws-manage-interfaces.png[{screenshot-attrs}] 262 263The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage the following: 264 265Show:: 266Whether or not to show or hide this interface in the welcome screen and the “Capture Options” dialog. 267 268Friendly Name:: 269A name for the interface that is human readable. 270 271Interface Name:: 272The device name of the interface. 273 274Comment:: 275Can be used to add a descriptive comment for the interface. 276 277// [[ChCapManageInterfacesPipesDialog]] 278 279// .The “Pipes” tab 280// image::wsug_graphics/ws-capture-options-manage-interfaces-pipes.png[{screenshot-attrs}] 281 282The “Pipes” tab lets you capture from a named pipe. 283To successfully add a pipe, its associated named pipe must have already been created. 284Click btn:[{plus}] and type the name of the pipe including its path. 285Alternatively, btn:[Browse] can be used to locate the pipe. 286 287To remove a pipe from the list of interfaces, select it and press btn:[-]. 288 289// [[ChCapManageInterfacesDialog]] 290 291// === The “Add New Interfaces” dialog box 292 293// As a central point to manage interfaces this dialog box consists of three tabs 294// to add or remove interfaces. 295 296// .The “Add New Interfaces” dialog box 297// image::wsug_graphics/ws-capture-options-manage-interfaces.png[{screenshot-attrs}] 298 299// ==== Add or hide local interfaces 300 301// [[ChCapManageInterfacesLocalDialog]] 302// .The “Add New Interfaces - Local Interfaces” dialog box 303// image::wsug_graphics/ws-capture-options-manage-interfaces-local.png[{screenshot-attrs}] 304 305// The tab “Local Interfaces” contains a list of available local interfaces, 306// including the hidden ones, which are not shown in the other lists. 307 308// If a new local interface is added, for example, a wireless interface has been 309// activated, it is not automatically added to the list to prevent the constant 310// scanning for a change in the list of available interfaces. To renew the list a 311// rescan can be done. 312 313// One way to hide an interface is to change the preferences. If the “Hide” 314// checkbox is activated and the btn:[Apply] button clicked, the interface will 315// not be seen in the lists of the “Capture Interfaces” dialog box any more. The 316// changes are also saved in the `preferences` file. 317 318// ==== Add or hide remote interfaces 319 320// [[ChCapManageInterfacesRemoteDialog]] 321// .The “Add New Interfaces - Remote Interfaces” dialog box 322// image::wsug_graphics/ws-capture-options-manage-interfaces-remote.png[{screenshot-attrs}] 323 324On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different machine. 325The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it. 326 327On Linux or Unix you can capture (and do so more securely) through an SSH tunnel. 328 329To add a new remote capture interface, click btn:[{plus}] and specify the following: 330 331Host:: 332The IP address or host name of the target platform where the Remote Packet Capture Protocol service is listening. 333The drop down list contains the hosts that have previously been successfully contacted. 334The list can be emptied by choosing “Clear list” from the drop down list. 335 336Port:: 337Set the port number where the Remote Packet Capture Protocol service is listening on. 338Leave blank to use the default port (2002). 339 340Null authentication:: 341Select this if you don’t need authentication to take place for a remote capture to be started. 342This depends on the target platform. 343This is exactly as secure as it appears, i.e. it is not secure at all. 344 345Password authentication:: 346Lets you specify the username and password required to connect to the Remote Packet Capture Protocol service. 347 348Each interface can optionally be hidden. 349In contrast to the local interfaces they are not saved in the `preferences` file. 350 351[NOTE] 352==== 353Make sure you have outside access to port 2002 on the target platform. 354This is the default port used by the Remote Packet Capture Protocol service. 355==== 356 357To remove a host including all its interfaces from the list, select it and click the btn:[-] button. 358 359// To access the Remote Capture Interfaces dialog use the “Remote Interfaces” tab of the “Manage Interfaces” dialog. See <<ChCapManageInterfacesRemoteDialog>> and select btn:[Add]. 360 361// [[ChCapInterfaceRemoteDialog]] 362// .The “Remote Capture Interfaces” dialog box 363// image::wsug_graphics/ws-capture-options-manage-interfaces-remote-plus.png[{screenshot-attrs}] 364 365 366// ==== Remote Capture Settings 367 368// The remote capture can be further fine tuned to match your situation. The 369// btn:[Remote Interfaces] button in <<ChCapManageInterfacesDialog>> gives 370// you this option. It pops up the dialog shown in 371// <<ChCapInterfaceRemoteSettingsDialog>>. 372 373// [[ChCapInterfaceRemoteSettingsDialog]] 374// .The “Remote Capture Settings” dialog box 375// image::wsug_graphics/ws-capture-options-remote-settings.png[{screenshot-attrs}] 376 377// You can set the following parameters in this dialog: 378 379// _Do not capture own RPCAP traffic_:: 380// This option sets a capture filter so that the traffic flowing back from the 381// Remote Packet Capture Protocol service to Wireshark isn’t captured as well and 382// also send back. The recursion in this saturates the link with duplicate traffic. 383// + 384// You only should switch this off when capturing on an interface other than the 385// interface connecting back to Wireshark. 386 387// _Use UDP for data transfer_:: 388// Remote capture control and data flows over a TCP connection. This option allows 389// you to choose an UDP stream for data transfer. 390 391// _Sampling option None_:: 392// This option instructs the Remote Packet Capture Protocol service to send back 393// all captured packets which have passed the capture filter. This is usually not a 394// problem on a remote capture session with sufficient bandwidth. 395 396// _Sampling option 1 of x packets_:: 397// This option limits the Remote Packet Capture Protocol service to send only a sub 398// sampling of the captured data, in terms of number of packets. This allows 399// capture over a narrow band remote capture session of a higher bandwidth 400// interface. 401 402 403// _Sampling option 1 every x milliseconds_:: 404// This option limits the Remote Packet Capture Protocol service to send only a sub 405// sampling of the captured data in terms of time. This allows capture over a 406// narrow band capture session of a higher bandwidth interface. 407 408// [[ChCapInterfaceDetailsSection]] 409 410// === The “Interface Details” dialog box 411 412// When you select Details from the Capture Interface menu, Wireshark pops up the 413// “Interface Details” dialog box as shown in <<ChCapInterfaceDetailsDialog>>. This 414// dialog shows various characteristics and statistics for the selected interface. 415 416// [NOTE] 417// .Microsoft Windows only 418// ==== 419// This dialog is only available on Microsoft Windows 420// ==== 421 422// [[ChCapInterfaceDetailsDialog]] 423// .The “Interface Details” dialog box 424// image::wsug_graphics/ws-capture-interface-details.png[{screenshot-attrs}] 425 426[[ChCapCompiledFilterOutputSection]] 427 428=== The “Compiled Filter Output” Dialog Box 429 430This figure shows the results of compiling the BPF filter for the selected interfaces. 431 432[[ChCapCompiledFilterOutputDialog]] 433 434.The “Compiled Filter Output” dialog box 435image::wsug_graphics/ws-capture-options-compile-selected-bpfs.png[{medium-screenshot-attrs}] 436 437In the list on the left the interface names are listed. 438The results of compiling a filter for the selected interface are shown on the right. 439 440[[ChCapCaptureFiles]] 441 442=== Capture files and file modes 443 444While capturing the underlying libpcap capturing engine will grab the packets 445from the network card and keep the packet data in a (relatively) small kernel 446buffer. This data is read by Wireshark and saved into a capture file. 447 448By default Wireshark saves packets to a temporary file. You can also tell 449Wireshark to save to a specific (“permanent”) file and switch to a 450different file after a given time has elapsed or a given number of packets 451have been captured. These options are controlled in the “Output” tab in 452the “Capture Options” dialog. 453 454[[ChCapCaptureOptionsOutputDialog]] 455.Capture output options 456image::wsug_graphics/ws-capture-options-output.png[{screenshot-attrs}] 457 458[TIP] 459==== 460Working with large files (several hundred MB) can be quite slow. If you plan to do 461a long term capture or capturing from a high traffic network, think about using 462one of the “Multiple files” options. This will spread the captured packets over 463several smaller files which can be much more pleasant to work with. 464==== 465 466Using the “Multiple files” option may cut context related information. Wireshark keeps 467context information of the loaded packet data, so it can report context related 468problems (like a stream error) and keeps information about context related 469protocols (e.g. where data is exchanged at the establishing phase and only 470referred to in later packets). As it keeps this information only for the loaded 471file, using one of the multiple file modes may cut these contexts. If the 472establishing phase is saved in one file and the things you would like to see is 473in another, you might not see some of the valuable context related information. 474 475Information about the folders used for capture files can be found in 476<<AppFiles>>. 477 478[[ChCapTabCaptureFiles]] 479.Capture file mode selected by capture options 480[options="header",cols="2,2,2,3,5"] 481|=== 482|File Name|“Create a new file...”|“Use a ring buffer...”|Mode|Resulting filename(s) used 483|-|-|-|Single temporary file|wiresharkXXXXXX (where XXXXXX is a unique number) 484|foo.cap|-|-|Single named file|foo.cap 485|foo.cap|x|-|Multiple files, continuous|foo_00001_20210714110102.cap, foo_00002_20210714110318.cap, ... 486|foo.cap|x|x|Multiple files, ring buffer|foo_00001_20210714110102.cap, foo_00002_20210714110318.cap, ... 487|=== 488 489Single temporary file:: 490A temporary file will be created and used (this is the default). 491After capturing is stopped this file can be saved later under a user specified name. 492 493Single named file:: 494A single capture file will be used. 495If you want to place the new capture file in a specific folder choose this mode. 496 497Multiple files, continuous:: 498Like the “Single named file” mode, but a new file is created and used after reaching one of the multiple file switch conditions (one of the “Next file every...” values). 499 500Multiple files, ring buffer:: 501Much like “Multiple files continuous”, reaching one of the multiple files switch 502conditions (one of the “Next file every ...” values) will switch to the next 503file. This will be a newly created file if value of “Ring buffer with n files” 504is not reached, otherwise it will replace the oldest of the formerly used files 505(thus forming a “ring”). 506+ 507This mode will limit the maximum disk usage, even for an unlimited amount of 508capture input data, only keeping the latest captured data. 509 510[[ChCapLinkLayerHeader]] 511 512=== Link-layer header type 513 514In most cases you won’t have to modify link-layer header type. Some exceptions 515are as follows: 516 517If you are capturing on an Ethernet device you might be offered a choice of 518“Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable 519Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be 520captured, select “DOCSIS”, otherwise select “Ethernet”. 521 522If you are capturing on an 802.11 device on some versions of BSD you might be 523offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the 524captured packets to have fake (“cooked”) Ethernet headers. “802.11” will 525cause them to have full IEEE 802.11 headers. Unless the capture needs to be read 526by an application that doesn’t support 802.11 headers you should select 527“802.11”. 528 529If you are capturing on an Endace DAG card connected to a synchronous serial 530line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If 531the protocol on the serial line is PPP, select “PPP over serial” and if the 532protocol on the serial line is Cisco HDLC, select “Cisco HDLC”. 533 534If you are capturing on an Endace DAG card connected to an ATM network you might 535be offered a choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only 536traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs 537to be read by an application that doesn’t support SunATM headers, select “RFC 5381483 IP-over-ATM”, otherwise select “Sun raw ATM”. 539 540[[ChCapCaptureFilterSection]] 541 542=== Filtering while capturing 543 544Wireshark supports limiting the packet capture to packets that match a 545_capture filter_. Wireshark capture filters are written in 546libpcap filter language. Below is a brief overview of the libpcap filter 547language's syntax. Complete documentation can be found at 548the link:{pcap-filter-man-page-url}[pcap-filter man page]. You can find 549many Capture Filter examples at {wireshark-wiki-url}CaptureFilters. 550 551You enter the capture filter into the “Filter” field of the Wireshark 552“Capture Options” dialog box, as shown in <<ChCapCaptureOptionsDialog>>. 553 554A capture filter takes the form of a series of primitive expressions connected 555by conjunctions (__and/or__) and optionally preceded by __not__: 556 557---- 558[not] primitive [and|or [not] primitive ...] 559---- 560 561An example is shown in <<ChCapExFilt1>>. 562 563[[ChCapExFilt1]] 564.A capture filter for telnet that captures traffic to and from a particular host 565==== 566---- 567tcp port 23 and host 10.0.0.5 568---- 569==== 570 571This example captures telnet traffic to and from the host 10.0.0.5, and shows 572how to use two primitives and the __and__ conjunction. Another example is shown 573in <<ChCapExFilt2>>, and shows how to capture all telnet traffic except that 574from 10.0.0.5. 575 576[[ChCapExFilt2]] 577.Capturing all telnet traffic not from 10.0.0.5 578==== 579---- 580tcp port 23 and not src host 10.0.0.5 581---- 582==== 583 584// XXX - add examples to the following list. 585 586A primitive is simply one of the following: _[src|dst] host <host>_:: 587This primitive allows you to filter on a host IP address or name. You can 588optionally precede the primitive with the keyword _src|dst_ to specify that you 589are only interested in source or destination addresses. If these are not 590present, packets where the specified address appears as either the source or the 591destination address will be selected. 592 593ether [src|dst] host <ehost>:: 594This primitive allows you to filter on Ethernet host addresses. You can 595optionally include the keyword _src|dst_ between the keywords _ether_ and _host_ 596to specify that you are only interested in source or destination addresses. If 597these are not present, packets where the specified address appears in either the 598source or destination address will be selected. 599 600gateway host <host>:: 601This primitive allows you to filter on packets that used _host_ as a gateway. 602That is, where the Ethernet source or destination was _host_ but neither the 603source nor destination IP address was _host_. 604 605[src|dst] net <net> [{mask <mask>}|{len <len>}]:: 606This primitive allows you to filter on network numbers. You can optionally 607precede this primitive with the keyword _src|dst_ to specify that you are only 608interested in a source or destination network. If neither of these are present, 609packets will be selected that have the specified network in either the source or 610destination address. In addition, you can specify either the netmask or the CIDR 611prefix for the network if they are different from your own. 612 613 614[tcp|udp] [src|dst] port <port>:: 615This primitive allows you to filter on TCP and UDP port numbers. You can 616optionally precede this primitive with the keywords _src|dst_ and _tcp|udp_ 617which allow you to specify that you are only interested in source or destination 618ports and TCP or UDP packets respectively. The keywords _tcp|udp_ must appear 619before _src|dst_. 620+ 621If these are not specified, packets will be selected for both the TCP and UDP 622protocols and when the specified address appears in either the source or 623destination port field. 624 625less|greater <length>:: 626This primitive allows you to filter on packets whose length was less than or 627equal to the specified length, or greater than or equal to the specified length, 628respectively. 629 630ip|ether proto <protocol>:: 631This primitive allows you to filter on the specified protocol at either the 632Ethernet layer or the IP layer. 633 634ether|ip broadcast|multicast:: 635This primitive allows you to filter on either Ethernet or IP broadcasts or 636multicasts. 637 638<expr> relop <expr>:: 639This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets. 640Please see the pcap-filter man page at {pcap-filter-man-page-url} for more details. 641 642 643[[ChCapCaptureAutoFilterSection]] 644 645==== Automatic Remote Traffic Filtering 646 647If Wireshark is running remotely (using e.g. SSH, an exported X11 window, a 648terminal server, ...), the remote content has to be transported over the 649network, adding a lot of (usually unimportant) packets to the actually 650interesting traffic. 651 652To avoid this, Wireshark tries to figure out if it’s remotely connected (by 653looking at some specific environment variables) and automatically creates a 654capture filter that matches aspects of the connection. 655 656The following environment variables are analyzed: 657 658`SSH_CONNECTION` (ssh):: 659<remote IP> <remote port> <local IP> <local port> 660 661 662`SSH_CLIENT` (ssh):: 663<remote IP> <remote port> <local port> 664 665 666`REMOTEHOST` (tcsh, others?):: 667<remote name> 668 669`DISPLAY` (x11):: 670[remote name]:<display num> 671 672 673`SESSIONNAME` (terminal server):: 674<remote name> 675 676On Windows it asks the operating system if it’s running in a Remote Desktop Services environment. 677 678[[ChCapRunningSection]] 679 680=== While a Capture is running ... 681 682You might see the following dialog box while a capture is running: 683 684[[ChCapCaptureInfoDialog]] 685.The “Capture Information” dialog box 686image::wsug_graphics/ws-capture-info.png[{small-screenshot-attrs}] 687 688This dialog box shows a list of protocols and their activity over time. 689It can be enabled via the “capture.show_info” setting in the “Advanced” 690preferences. 691 692[[ChCapStopSection]] 693 694==== Stop the running capture 695 696A running capture session will be stopped in one of the following ways: 697 698. The btn:[Stop Capture] button in the “Capture Information” dialog box. 699 700. The menu:Capture[Stop] menu item. 701 702. The btn:[Stop] toolbar button. 703 704. Pressing kbd:[Ctrl+E]. 705 706. The capture will be automatically stopped if one of the _Stop Conditions_ is 707 met, e.g. the maximum amount of data was captured. 708 709[[ChCapRestartSection]] 710 711==== Restart a running capture 712 713A running capture session can be restarted with the same capture options as the 714last time, this will remove all packets previously captured. This can be useful, 715if some uninteresting packets are captured and there’s no need to keep them. 716 717Restart is a convenience function and equivalent to a capture stop following by 718an immediate capture start. A restart can be triggered in one of the following 719ways: 720 721. Using the menu:Capture[Restart] menu item. 722 723. Using the btn:[Restart] toolbar button. 724 725// End of WSUG Chapter Capture 726