Manuals / Lucent Technologies / Computer Equipment / Network Card

Lucent Technologies Ethereal manual Capture Files frame, Stop Capture... frame

Models: Ethereal

1 199

Download 199 pages 450 b

Page 81

Capturing Live Network Data

	CPU time is required for copying packets, less buffer
	space is required for packets, and thus perhaps fewer
	packets will be dropped if traffic is very heavy.
	• If you don't capture all of the data in a packet, you might
	find that the packet data you want is in the part that's
	dropped, or that reassembly isn't possible as the data re-
	quired for reassembly is missing.
Capture Filter	This field allows you to specify a capture filter. Capture fil-
	ters are discussed in more details in Section 4.8, “Filtering
	while capturing”. It defaults to empty, or no filter.
	You can also click on the button labelled Capture Filter, and
	Ethereal will bring up the Capture Filters dialog box and al-
	low you to create and/or select a filter. Please see Section 6.5,
	“Defining and saving filters”

4.5.2. Capture File(s) frame

An explanation about capture file usage can be found in Section 4.6, “Capture files and file modes”.

File	This field allows you to specify the file name that will be
	used for the capture file. This field is left blank by default. If
	the field is left blank, the capture data will be stored in a tem-
	porary file, see Section 4.6, “Capture files and file modes” for
	details.
	You can also click on the button to the right of this field to
	browse through the filesystem.
Use multiple files	Instead of using a single file, Ethereal will automatically
	switch to a new one, if a specific trigger condition is reached.
Next file every n megabyte(s)	Multiple files only: Switch to the next file after the given
	number of byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have
	been captured.

Next file every n minute(s)

Multiple files only: Switch to the next file after the given number of second(s)/minutes(s)/hours(s)/days(s) have elapsed.

Ring buffer with n files	Multiple files only: Form a ring buffer of the capture files,
	with the given number of files.
Stop capture after n file(s)	Multiple files only: Stop capturing after switching to the next
	file the given number of times.

4.5.3. Stop Capture... frame

... after n packet(s)	Stop capturing after the given number of packets have been
	captured.
... after n megabytes(s)	Stop	capturing	after	the	given	number	of
	byte(s)/kilobyte(s)/megabyte(s)/gigabyte(s) have been cap-
	tured. This option is greyed out, if "Use multiple files" is se-
	lected.

67

Image 81

Lucent Technologies Ethereal manual Capture Files frame, Stop Capture... frame

Contents

V2.0.2 16376 for Ethereal Ethereal Users GuideEthereal Users Guide V2.0.2 16376 for Ethereal Page Table of Contents Page Page Page Foreword PrefaceWho should read this document? Acknowledgements About this document Where to get the latest copy of this document? Providing feedback about this document Preface Xiv Features What is Ethereal?Introduction Some intended purposesExport files for many other capture programs Many protocol decodersOpen Source Software What Ethereal is not Platforms Ethereal runs on UnixLinux Microsoft Windows Where to get Ethereal? Rose by any other name Brief history of Ethereal Development and maintenance of Ethereal FAQ Reporting problems and getting helpWebsite Wiki Mailing ListsReporting Crashes on UNIX/Linux platforms Reporting ProblemsReporting Crashes on Windows platforms Introduction Introduction Building and Installing EtherealDownload all required files Obtaining the source and binary distributionsExample 2.1. Building GTK+ from source Before you build Ethereal under UnixExample 2.2. Building and installing libpcap Example 2.5. Installing debs under Debian Unix Building Ethereal from source underPage Installing the binaries under Unix Installing from rpms under RedHat and alikeInstalling from debs under Debian Troubleshooting during the install on Unix Building from source under Windows Install Ethereal Installing Ethereal under WindowsInstall WinPcap Update Ethereal Update WinPcapUninstall Ethereal Uninstall WinPcap Building and Installing Ethereal User Interface Start Ethereal Main window Main windowUser Interface Current program state and the captured data Menu Menu Item Accelerator Description Open File menuOpen Recent MergeSave As Menu Item Accelerator Description SaveFile Set List FilesPdml file Menu Item Accelerator Description ExportExport Selec Ted Packet BytesEdit menu Marking packets for details User InterfaceView Menu View menu items View menuSeconds Since Beginning of Capture and Seconds Since Fields Time of Day, Date and Time of DayPrevious Packet are mutually exclusive BeginningZoom Out Menu Item Accelerator Description ZoomNormal Size Resize AllGo menu Menu Item Accelerator Description Last Packet Capture menu Saving filters Analyze Menu Analyze menu items Analyze menuTCP FollowStatistics menu items Statistics menuMessage 225Types VoIP Calls10. The Help Menu Help menu items Help menuPage 11. The Main toolbar Main toolbar items Main toolbarGo Forward Go BackFirst Packet Go To Last PackTion 9.3, Packet colorization 12. The Filter toolbar Filter toolbar13. The Packet List pane Packet List pane14. The Packet Details pane Packet Details pane15. The Packet Bytes pane Packet Bytes pane17. The initial Statusbar StatusbarUser Interface Capturing Live Network Data Prerequisites Capture Options dialog box Start CapturingCapture Interfaces dialog box Packets/sPrepare Capture Options dialog box Capture frameInterface Link-layer header type IP addressBuffer size n megabytes Capture packets in promiscuousStop Capture... frame Capture Files frameName Resolution frame Display Options frameButtons Capture files and file modes Capture file mode selected by capture optionsMultiple files, ring buffer Multiple files, continuousLink-layer header type Example 4.2. Capturing all telnet traffic not from Filtering while capturingSrcdst host host Ether srcdst host ehostSrcdst net net mask Gateway host hostMasklen len Tcpudp srcdst port portStop the running capture While a Capture is runningRestart a running capture Using the toolbar itemCapturing Live Network Data File Input / Output and Printing Open Capture File dialog box Open capture filesInput File Formats Page Save Capture File As dialog box Saving captured packetsTip Output File Formats Merge with Capture File dialog box Merging capture filesPage List Files dialog box File SetsExporting data Export as Plain Text File dialog boxExport as PostScript File dialog box Export as Psml File dialog box Export as CSV Comma Seperated Values File dialog boxExport as Psml File dialog box Export as Pdml File dialog boxExport Selected Packet Bytes dialog box Export selected packet bytes dialog boxPage Printing packets Print dialog boxPrinter Lpr -Pmypostscript 10. The Packet Range frame Packet Range frame11. The Packet Format frame Packet Format frameFile Input / Output and Printing Viewing packets you have captured Working with captured packetsFunction overview of the pop-up menus Decode As Lis Byt Menu Description TailNew Window Resolve name CopyFollow TCP Stream Mark Packet toggleFilter Field Reference Protocol PropertiesGo to Corresponding Packet Export Selected Packet Bytes Filtering on the TCP protocol Filtering packets while viewingPage Display filter fields Building display filter expressionsComparing values Display Filter comparison operatorsDisplay Filter Field Types Combining expressionsDisplay Filter Logical Operations Common mistake Filter Expression dialog box Filter Expression dialog boxValue CancelPredefined values RangeCapture Filters and Display Filters dialog boxes Defining and saving filtersDelete NewFilter Filter nameFind Packet dialog box Finding packetsDisplay filter Hex ValueFind Next command Find Previous commandDown Go to a specific packet Marking packets Packet time referencing Time display formats and time referencesPage Working with captured packets 119 Advanced Features Follow TCP stream dialog box Following TCP streamsPage Reassembling is disabled by default What is it?Packet Reassembling How Ethereal handles itName Resolution Ethernet name resolution MAC layerIP name resolution network layer TCP/UDP port name resolution transport layer IPX name resolution network layerAdvanced Features 126 Statistics Summary window Summary windowPage Protocol Hierarchy window Protocol Hierarchy windowPage What is an Endpoint? EndpointsEndpoints window Protocol specific Endpoint List windows Conversations What is a Conversation?Conversations window Protocol specific Conversation List windowsIO Graphs window GraphsAxis Page Service Response Time Service Response Time DCE-RPC windowFibre Channel 225 RAS DCE-RPC Statistic for ... window Protocol specific statistics windows Statistics 140 Customizing Ethereal Example 9.1. Help information available from Ethereal Start Ethereal from the command lineDuration ue Filesize ueFilesizeue DurationueCapture buffer size Win32 OnlyFont Preference/recent settingsName resolving flags Ethereal -o mgcp.displaydissecttreeTRUESavefile Time stamp formatCapture link type Statistics-stringColoring Rules dialog box Packet colorizationChoose color dialog box Using color filters with Ethereal Control Protocol dissection Enabled Protocols dialog boxPage Decode As dialog box User Specified DecodesDecode As Show dialog box Show User Specified DecodesPreferences dialog box PreferencesCustomizing Ethereal 154 Customizing Ethereal 155 Table A.1. Configuration files and folders overview Appendix A. Configuration and other Files and FoldersPreferences/ethereal.conf Windows foldersConfiguration files and folders overview. If an address is DisabledprotosWindows folders Windows profilesPlugins folder Windows NT/2000/XP roaming profiles 98/ME with enabled user proWindows temporary folder 95/98/MEConfiguration and other Files Folders 161 Appendix B. Protocols and Protocol Fields Appendix C. Related command line tools Tcpdump Capturing with tcpdump for viewing with Ethereal Tethereal Terminal-based Ethereal Example C.1. Help information available from capinfos Capinfos Print information about capture filesExample C.2. Help information available from editcap Editcap Edit capture filesRelated command line tools Encap type Time adjustmentCapture type SnaplenExample C.3. Help information available from mergecap Mergecap Merging multiple capture files into one171 Example C.4. Simple example of using mergecap Example C.5. Help information available for text2pcap Text2pcap Converting Ascii hexdumps to network capturesHexoct FilenameSrcport destport L3pidHow to use idl2eth Why do this?Prerequisites to using idl2eth Idl2eth Creating dissectors from Corba IDL filesTodo Limitations Related command line tools 179 GNU General Public License Appendix D. This Documents License GPL181 182 183 184 185