Packet Capture with Wireshark

Start a new packet capture

Select Start... from the Capture menu.

Select the packet capture options

1. Be sure you pick a reasonable network interface.
• Windows tends to have inappropriate network cards chosen by default.
• On Windows, it helps to look for vendor names, such as 3Com or Intel in the Interface name.
2. Most times, it is best to disable promiscuous mode
• This will help to avoid inadvertently capturing packets other than your own.
• If you are monitoring a connection between two other computers via hub, you'll want to leave this enabled.
3. If you know what traffic you want to capture , you'll want to give a tcpdump syntax filter here. Some Examples
4.  Not totally necessary, but it is nice to see the packets captured in real time.
•  However, Automatic scrolling can get annoying if you start to analyze packets before stopping the capture.
5. Be sure that network name resolution is not enabled.
•  Among other reasons, it can take a painfully long time to resolve IP addresses into DNS names.
• It is also sometimes less distracting to disable MAC name resolution (NIC vendor based on MAC address) as well as transport name resolution (80/tcp becomes www, 53/udp becomes DNS, etc.).
6. The other options are there to manage packet captures that will take place over long periods of time or on busy connections.

Stopping a packet capture

Stop a packet capture by either A.) clicking stop in the capture summary window or by B.) clicking the round, red, X button on the main window.

Saving packet capture

No shock here. File menu, then Save As...

Packet capture file options

Save your packet captures in the default libpcap format. Typically, packet capture files are given an file name extension of .pcap or .tcpd

References

• tcpdump - Expressions and Examples