Cisco Networking: Wireshark Data Filters
As a Cisco administrator, unless you establish filters the network protocol analysis tool, Wireshark, will capture everything it sees and keeps which can be a huge amount of data. You have a couple of options for filtering data. You can filter the data packets while you are capturing them, which reduces the amount of data you capture; or you can filter the displayed data, which cuts down what you see on the screen. You can set the capture filter on the Capture Options dialog box as shown in the following figure. Options include
Capture Filter: Using standard tcpdump options, such as tcp port 80 and host 192.168.1.5, to filter captured data, you can greatly reduce the amount of data that you capture. This is a great option if you want to capture data over a day or a week because the resulting capture file is much more manageable.
Capture File(s): If you want to be able to review your capture data at a later date, you can choose to capture the data into one or more files. The Capture Files(s) section of the Capture Options dialog box allows you to specify your file options.
File: In the File field, simply specify the file path and name where you want to save your capture data. You can also use the Browse button to browse to it directly and specify a filename to use. Capture files should be saved with the extension of .cap.
Use Multiple Files: To keep file sizes down, you can specify to use multiple files by selecting this check box. After you have done that, you can then choose to create new files based on the size of the file or a period of time.
Ring Buffer: If you have a recurring incident that you are troubleshooting, and the problem will likely occur over the next 24 hours, then you can make use of the ring buffer. You would still set your multiple files option and specify to use a new file after an amount of data is captured or when a period of time has passed.
When all files are full, it will loop back to the first file and start overwriting the saved capture files. The benefit of this is that when your random network incident happens, you can stop the capture process, and you will have the most current network capture leading up to the incident. This is helpful when troubleshooting this type of intermittent problem.
This option allows you to review the data that occurred in the most recent period of time and have a predictable size for the files.
Stop Capture: Have the capture automatically stop after:
A certain number of packets have been captured.
A certain amount of data has been received, or when the capture file has reached a specified size.
A period of time has passed.