Ethereal Packet Capture Options

Customizing Ethereal Capture Options.

Ethereal provides you with a series of options that allow you to customize the capture.

If a button is raised the option is Off, if a button is pressed the option is On. Options are grouped into different functions as described below.

Capture

Interface if you have more than one card in the machine this option allows you to specify which interface to use to perform the capture.

Limit each packet to allows you to restrict allows you to specify, in bytes, how much of each packet to collect. This is useful if you are interested in the header information only, if you wan to collect lots of packets on a busy network, and if you want to keep the file sizes as small as possible.

Capture packets in promiscuous mode If you want to capture everything that your machine can see click this option. If you only want to see packets in and out of your machine leave this option unselected.

Filter allows you to enter an existing capture filter.

Capture file(s)

File allows you to save the captured packets in a named file.

Use ring buffer allows you to specify a number of files to use for the capture.

In a Ring Buffer when one file is full a new one starts. When the specified number of files are all full capture begins to overwrite the files in sequence. This function is useful if you want to capture continuously but do not want to fill your hard disk.

Note: that when Use Ring Buffer is pressed the Capture limits option, Stop capture after xx kilobyte(s) changes to Rotate capture every xx kilobytes.

Display options

Update list of packets in real time Use this option if you want to view the list of packets as they are captured.

Automatic scrolling in live capture Select this if you want the packet list to scroll.

Capture limits

These options limit the number of packets you can capture.

There are three options, limit by number of packets, by an amount of disk space, or by time.

All can be enabled at once, the first option to be matched will cause the capture to stop.

If Use ring buffer is pressed Rotate capture every allows you to specify the file size in kilobytes.

To capture continuously switch all the options Off.

Name resolution

Enable MAC name resolution. If you want the MAC addresses to be resolved into names select this option.

Enable network name resolution. If you want the network addresses to be resolved into names select this option.

Enable transport name resolution. If you want the transport addresses to be resolved into names select this option.

Enabling name resolution can slow Ethereal down increasing the risk of dropping packets.

Click OK when you have set the options you require.

As packet capture proceeds a breakdown of the running totals is displayed in the capture window.

If you have set a value in the Capture limits options capturing will continue until that value is reached. If not you can press the Stop button at any time.

When you stop capturing the opening screen now shows the captured packets.

Scroll through the list to find the packet you are interested in and click on it to see the details.

You can also resize the windows if required by pointing your cursor at the bars between panes.

Click and hold the left mouse button, and drag the bar to the required position.