Manualshelf

User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5
71727374757677787980
Capturing Live Network Data
61
4.9. Link-layer header type
In the usual case, you won't have to choose this link-layer header type. The following paragraphs describe
the exceptional cases, where selecting this type is possible, so you will have a guide of what to do:
If you are capturing on an 802.11 device on some versions of BSD, this might offer a choice of "Ethernet"
or "802.11". "Ethernet" will cause the captured packets to have fake Ethernet headers; "802.11" will cause
them to have IEEE 802.11 headers. Unless the capture needs to be read by an application that doesn't
support 802.11 headers, you should select "802.11".
If you are capturing on an Endace DAG card connected to a synchronous serial line, this might offer a
choice of "PPP over serial" or "Cisco HDLC"; if the protocol on the serial line is PPP, select "PPP over
serial", and if the protocol on the serial line is Cisco HDLC, select "Cisco HDLC".
If you are capturing on an Endace DAG card connected to an ATM network, this might offer a choice
of "RFC 1483 IP-over-ATM" or "Sun raw ATM". If the only traffic being captured is RFC 1483 LLC-
encapsulated IP, or if the capture needs to be read by an application that doesn't support SunATM headers,
select "RFC 1483 IP-over-ATM", otherwise select "Sun raw ATM".
If you are capturing on an Ethernet device, this might offer a choice of "Ethernet" or "DOCSIS". If you
are capturing traffic from a Cisco Cable Modem Termination System that is putting DOCSIS traffic onto
the Ethernet to be captured, select "DOCSIS", otherwise select "Ethernet".
4.10. Filtering while capturing
Wireshark uses the libpcap filter language for capture filters. This is explained in the tcpdump man page,
which can be hard to understand, so it's explained here to some extent.
Tip!
You will find a lot of Capture Filter examples at http://wiki.wireshark.org/CaptureFilters.
You enter the capture filter into the Filter field of the Wireshark Capture Options dialog box, as shown
in Figure 4.3, “The "Capture Options" dialog box”. The following is an outline of the syntax of the
tcpdump capture filter language. See the expression option at the tcpdump manual page for details: http:
//www.tcpdump.org/tcpdump_man.html.
A capture filter takes the form of a series of primitive expressions connected by conjunctions (and/or)
and optionally preceded by not:
[not] primitive [and|or [not] primitive ...]
An example is shown in Example 4.1, A capture filter for telnet that captures traffic to and from a
particular host ”.
Example 4.1. A capture filter for telnet that captures traffic to and from a particular
host
tcp port 23 and host 10.0.0.5
This example captures telnet traffic to and from the host 10.0.0.5, and shows how to use two primitives
and the and conjunction. Another example is shown in Example 4.2, Capturing all telnet traffic not from
10.0.0.5”, and shows how to capture all telnet traffic except that from 10.0.0.5.