The Wireshark package, including the Windows installer(s), also includes a command-line version tshark. In old versions they were always shown in the capture-options window (in fact they used most of the bottom half of the window, making them hard to miss) now you must go to the second and third tabs of the capture-options window. (Obviously you need disk space for the file(s).) In that case, Wireshark has long had an option to write immediately to a file or a series of files (based on time interval or amount of data), and if you also turn off 'update list in real time' (a separate option) it doesn't take nearly as much RAM. It appears in this case you only really need to capture, and display can be at a later time. I think this change occurred at 2.0, but I don't swear to that.
In old versions you had to double-click on the interface in the capture-options window now (or at least recently) it appears in the welcome window and the capture-options window, under the interface list. The location where you specify a capture filter has changed over time. The capture filter syntax is simpler and less powerful than Wireshark's display filter syntax, but from (and/or to) an IP address is within its capabilities. Packets excluded by the capture filter are not stored at all and don't use memory. Wireshark has supported separate capture-level (libpcap or winpcap) and display filters since at least 2008.
0 kommentar(er)
