often when i'm using wireshark, don't need capture contents of frame. i'm making sure traffic flowing, , maybe checking few flags (fin ack etc). yet default setting capture (filtered) nic sees, can fill hd pretty fast.
is there setting can see summary lines, without capturing contents?
i don't need capture contents of frame ... i'm making sure traffic flowing, , maybe checking few flags (fin ack etc)
so need tcp header (and packet data goes before tcp header). typical ipv4 header 20 bytes long, typical tcp header, so, on ethernet, typically need capture first 54 bytes of packet. ipv6, typical header 40 bytes long, that, on ethernet, typically need first 74 bytes. however, ipv4 , tcp headers might have options, , ipv6 header might have extension headers, capturing 68 bytes ipv4 or 96 bytes ipv4-or-ipv6 might better
for other networks, you'd have adjust value based on link-layer header length. 802.11 when not in monitor mode, you'll "fake ethernet" headers, values used ethernet work; 802.11 in monitor mode, might have "radiotap" header or other "radio metadata" header, you'd have @ captures on machine see how big 802.11 header + radio metadata header be.
once know "snapshot length" should use, can specify in "limit each packet [ ... ] bytes" field of interface options in wireshark 1.8 , later or in "capture options" dialog prior 1.8.
wireshark still show packet details can given limited amount of packet data captured, won't see only summary lines. will, however, less data per packet, saving disk space.
Comments
Post a Comment