Search for:

Capturing Traffic on WireShark

Introduction Capturing network traffic effectively is a foundational skill in network analysis. This post demystifies the process of packet capture using Wireshark, focusing on interface selection, configuration, and best practices.

This is a reference page me me please see the video Chris here

(152) Wireshark Tutorial for BEGINNERS // How to Capture Network Traffic – YouTube

Understanding Packet Drivers and Interfaces

  1. Identifying Your Packet Driver:
    • On macOS: Navigate to Wireshark > About Wireshark. Look under the operating system details to identify the packet driver (e.g., libpcap version).
    • On Windows: Go to Help > About Wireshark. Here, you’ll typically find the Npcap library being used.
  2. Recognising Interfaces:
    • When you open Wireshark, you’ll see a list of network interfaces.
    • These interfaces can be physical (like Wi-Fi or Ethernet) or virtual (created by VPNs or network simulation tools).
    • Activity on these interfaces is indicated by real-time graphs.

Configuring Capture Options

  1. Accessing Capture Options: Click the setup gear icon in Wireshark to open capture options.
  2. Managing Interfaces:
    • In ‘Capture Options’, choose ‘Manage Interfaces’.
    • Select only the interfaces you frequently use to simplify your interface list.

Setting Snap Length and Buffer Size

  1. Snap Length Configuration:
    • Set the snap length to capture only a specific portion of the data per frame (e.g., first 64 bytes). This is useful in secure environments where capturing entire payloads is unnecessary or risky.
    • Be cautious to avoid setting the snap length too low, as it may result in insufficient data capture.
  2. Buffer Size:
    • The default buffer size is usually adequate (e.g., 2 MB). Increase this in high-throughput environments.

Enabling Promiscuous Mode

  • Always enable promiscuous mode to allow Wireshark to capture all network traffic, not just traffic to and from your device.

Configuring Output Settings for Efficient Analysis

  1. Setting Output Location and Size:
    • In ‘Capture Options’, go to ‘Output’.
    • Choose a save location and set a base file name for your captures.
    • Configure the file size limit (e.g., 500 MB) to prevent overly large captures that are difficult to analyse.
  2. Using a Ring Buffer:
    • Set up a ring buffer to limit the number of capture files (e.g., 10 files of 500 MB each). This prevents filling up your hard drive and maintains a rolling window of data.
    • Adjust the number of files and size per file based on your storage capacity and network throughput.

Starting a Capture

  • Select your interface and click ‘Start’. Wireshark will begin capturing packets based on your configured settings.

Leave A Comment

All fields marked with an asterisk (*) are required