Capture Files frame | Lucent Technologies Ethereal instruction

Capturing Live Network Data

	CPU time is required for copying packets, less buffer
	space is required for packets, and thus perhaps fewer
	packets will be dropped if traffic is very heavy.
	• If you don't capture all of the data in a packet, you might
	find that the packet data you want is in the part that's
	dropped, or that reassembly isn't possible as the data re-
	quired for reassembly is missing.
Capture Filter	This field allows you to specify a capture filter. Capture fil-
	ters are discussed in more details in Section 4.8, “Filtering
	while capturing”. It defaults to empty, or no filter.
	You can also click on the button labelled Capture Filter, and
	Ethereal will bring up the Capture Filters dialog box and al-
	low you to create and/or select a filter. Please see Section 6.5,
	“Defining and saving filters”

4.5.2. Capture File(s) frame

An explanation about capture file usage can be found in Section 4.6, “Capture files and file modes”.

File	This field allows you to specify the file name that will be
	used for the capture file. This field is left blank by default. If
	the field is left blank, the capture data will be stored in a tem-
	porary file, see Section 4.6, “Capture files and file modes” for
	details.
	You can also click on the button to the right of this field to
	browse through the filesystem.
Use multiple files	Instead of using a single file, Ethereal will automatically
	switch to a new one, if a specific trigger condition is reached.
Next file every n megabyte(s)	Multiple files only: Switch to the next file after the given
	number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have
	been captured.

Next file every n minute(s)

Multiple files only: Switch to the next file after the given number of second(s)/minutes(s)/hours(s)/days(s) have elapsed.

Ring buffer with n files	Multiple files only: Form a ring buffer of the capture files,
	with the given number of files.
Stop capture after n file(s)	Multiple files only: Stop capturing after switching to the next
	file the given number of times.

4.5.3. Stop Capture... frame

... after n packet(s)	Stop capturing after the given number of packets have been
	captured.
... after n megabytes(s)	Stop	capturing	after	the	given	number	of
	byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been cap-
	tured. This option is greyed out, if "Use multiple files" is se-
	lected.

67

Image 81

Lucent Technologies Ethereal manual Capture Files frame, Stop Capture... frame

Contents

V2.0.2 16376 for Ethereal Ethereal Users Guide Ethereal Users Guide V2.0.2 16376 for Ethereal Page Table of Contents Page Page Page Foreword Preface Who should read this document? Acknowledgements About this document Where to get the latest copy of this document? Providing feedback about this document Preface Xiv Features What is Ethereal?Introduction Some intended purposes Export files for many other capture programs Many protocol decodersOpen Source Software What Ethereal is not Platforms Ethereal runs on UnixLinux Microsoft Windows Where to get Ethereal? Rose by any other name Brief history of Ethereal Development and maintenance of Ethereal FAQ Reporting problems and getting helpWebsite Wiki Mailing Lists Reporting Crashes on UNIX/Linux platforms Reporting Problems Reporting Crashes on Windows platforms Introduction Introduction Building and Installing Ethereal Download all required files Obtaining the source and binary distributions Example 2.1. Building GTK+ from source Before you build Ethereal under Unix Example 2.2. Building and installing libpcap Example 2.5. Installing debs under Debian Unix Building Ethereal from source underPage Installing the binaries under Unix Installing from rpms under RedHat and alikeInstalling from debs under Debian Troubleshooting during the install on Unix Building from source under Windows Install Ethereal Installing Ethereal under Windows Install WinPcap Update Ethereal Update WinPcapUninstall Ethereal Uninstall WinPcap Building and Installing Ethereal User Interface Start Ethereal Main window Main window User Interface Current program state and the captured data Menu Menu Item Accelerator Description Open File menuOpen Recent Merge Save As Menu Item Accelerator Description SaveFile Set List Files Pdml file Menu Item Accelerator Description ExportExport Selec Ted Packet Bytes Edit menu Marking packets for details User Interface View Menu View menu items View menu Seconds Since Beginning of Capture and Seconds Since Fields Time of Day, Date and Time of DayPrevious Packet are mutually exclusive Beginning Zoom Out Menu Item Accelerator Description ZoomNormal Size Resize All Go menu Menu Item Accelerator Description Last Packet Capture menu Saving filters Analyze Menu Analyze menu items Analyze menu TCP Follow Statistics menu items Statistics menu Message 225Types VoIP Calls 10. The Help Menu Help menu items Help menuPage 11. The Main toolbar Main toolbar items Main toolbar Go Forward Go BackFirst Packet Go To Last Pack Tion 9.3, Packet colorization 12. The Filter toolbar Filter toolbar 13. The Packet List pane Packet List pane 14. The Packet Details pane Packet Details pane 15. The Packet Bytes pane Packet Bytes pane 17. The initial Statusbar Statusbar User Interface Capturing Live Network Data Prerequisites Capture Options dialog box Start Capturing Capture Interfaces dialog box Packets/sPrepare Capture Options dialog box Capture frameInterface Link-layer header type IP addressBuffer size n megabytes Capture packets in promiscuous Stop Capture... frame Capture Files frame Name Resolution frame Display Options frameButtons Capture files and file modes Capture file mode selected by capture options Multiple files, ring buffer Multiple files, continuous Link-layer header type Example 4.2. Capturing all telnet traffic not from Filtering while capturingSrcdst host host Ether srcdst host ehost Srcdst net net mask Gateway host hostMasklen len Tcpudp srcdst port port Stop the running capture While a Capture is running Restart a running capture Using the toolbar item Capturing Live Network Data File Input / Output and Printing Open Capture File dialog box Open capture files Input File Formats Page Save Capture File As dialog box Saving captured packets Tip Output File Formats Merge with Capture File dialog box Merging capture filesPage List Files dialog box File Sets Exporting data Export as Plain Text File dialog boxExport as PostScript File dialog box Export as Psml File dialog box Export as CSV Comma Seperated Values File dialog box Export as Psml File dialog box Export as Pdml File dialog box Export Selected Packet Bytes dialog box Export selected packet bytes dialog boxPage Printing packets Print dialog boxPrinter Lpr -Pmypostscript 10. The Packet Range frame Packet Range frame 11. The Packet Format frame Packet Format frame File Input / Output and Printing Viewing packets you have captured Working with captured packets Function overview of the pop-up menus Decode As Lis Byt Menu Description TailNew Window Resolve name Copy Follow TCP Stream Mark Packet toggle Filter Field Reference Protocol PropertiesGo to Corresponding Packet Export Selected Packet Bytes Filtering on the TCP protocol Filtering packets while viewingPage Display filter fields Building display filter expressionsComparing values Display Filter comparison operators Display Filter Field Types Combining expressions Display Filter Logical Operations Common mistake Filter Expression dialog box Filter Expression dialog box Value CancelPredefined values Range Capture Filters and Display Filters dialog boxes Defining and saving filters Delete NewFilter Filter name Find Packet dialog box Finding packetsDisplay filter Hex Value Find Next command Find Previous commandDown Go to a specific packet Marking packets Packet time referencing Time display formats and time referencesPage Working with captured packets 119 Advanced Features Follow TCP stream dialog box Following TCP streamsPage Reassembling is disabled by default What is it?Packet Reassembling How Ethereal handles it Name Resolution Ethernet name resolution MAC layerIP name resolution network layer TCP/UDP port name resolution transport layer IPX name resolution network layer Advanced Features 126 Statistics Summary window Summary windowPage Protocol Hierarchy window Protocol Hierarchy windowPage What is an Endpoint? EndpointsEndpoints window Protocol specific Endpoint List windows Conversations What is a Conversation?Conversations window Protocol specific Conversation List windows IO Graphs window GraphsAxis Page Service Response Time Service Response Time DCE-RPC windowFibre Channel 225 RAS DCE-RPC Statistic for ... window Protocol specific statistics windows Statistics 140 Customizing Ethereal Example 9.1. Help information available from Ethereal Start Ethereal from the command lineDuration ue Filesize ue Filesizeue DurationueCapture buffer size Win32 Only Font Preference/recent settingsName resolving flags Ethereal -o mgcp.displaydissecttreeTRUE Savefile Time stamp formatCapture link type Statistics-string Coloring Rules dialog box Packet colorization Choose color dialog box Using color filters with Ethereal Control Protocol dissection Enabled Protocols dialog boxPage Decode As dialog box User Specified Decodes Decode As Show dialog box Show User Specified Decodes Preferences dialog box Preferences Customizing Ethereal 154 Customizing Ethereal 155 Table A.1. Configuration files and folders overview Appendix A. Configuration and other Files and Folders Preferences/ethereal.conf Windows folders Configuration files and folders overview. If an address is Disabledprotos Windows folders Windows profilesPlugins folder Windows NT/2000/XP roaming profiles 98/ME with enabled user proWindows temporary folder 95/98/ME Configuration and other Files Folders 161 Appendix B. Protocols and Protocol Fields Appendix C. Related command line tools Tcpdump Capturing with tcpdump for viewing with Ethereal Tethereal Terminal-based Ethereal Example C.1. Help information available from capinfos Capinfos Print information about capture files Example C.2. Help information available from editcap Editcap Edit capture files Related command line tools Encap type Time adjustmentCapture type Snaplen Example C.3. Help information available from mergecap Mergecap Merging multiple capture files into one 171 Example C.4. Simple example of using mergecap Example C.5. Help information available for text2pcap Text2pcap Converting Ascii hexdumps to network captures Hexoct Filename Srcport destport L3pid How to use idl2eth Why do this?Prerequisites to using idl2eth Idl2eth Creating dissectors from Corba IDL files Todo Limitations Related command line tools 179 GNU General Public License Appendix D. This Documents License GPL 181 182 183 184 185