summaryrefslogtreecommitdiffstats
path: root/doc/wsug_src/wsug_capture.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wsug_src/wsug_capture.adoc')
-rw-r--r--doc/wsug_src/wsug_capture.adoc737
1 files changed, 737 insertions, 0 deletions
diff --git a/doc/wsug_src/wsug_capture.adoc b/doc/wsug_src/wsug_capture.adoc
new file mode 100644
index 00000000..7ac3faf4
--- /dev/null
+++ b/doc/wsug_src/wsug_capture.adoc
@@ -0,0 +1,737 @@
+// WSUG Chapter Capture
+
+[#ChapterCapture]
+
+== Capturing Live Network Data
+
+[#ChCapIntroduction]
+
+=== Introduction
+
+Capturing live network data is one of the major features of Wireshark.
+
+The Wireshark capture engine provides the following features:
+
+* Capture from different kinds of network hardware such as Ethernet or 802.11.
+
+* Simultaneously capture from multiple network interfaces.
+
+* Stop the capture on different triggers such as the amount of captured data,
+ elapsed time, or the number of packets.
+
+* Simultaneously show decoded packets while Wireshark is capturing.
+
+* Filter packets, reducing the amount of data to be captured. See
+ <<ChCapCaptureFilterSection>>.
+
+* Save packets in multiple files while doing a long-term capture, optionally
+ rotating through a fixed number of files (a “ringbuffer”). See
+ <<ChCapCaptureFiles>>.
+
+The capture engine still lacks the following features:
+
+* Stop capturing (or perform some other action) depending on the captured data.
+
+[#ChCapPrerequisitesSection]
+
+=== Prerequisites
+
+Setting up Wireshark to capture packets for the first time can be
+tricky. A comprehensive guide “How To setup a Capture” is available at
+{wireshark-wiki-url}CaptureSetup.
+
+Here are some common pitfalls:
+
+* You may need special privileges to start a live capture.
+
+* You need to choose the right network interface to capture packet data from.
+
+* You need to capture at the right place in the network to see the traffic you
+ want to see.
+
+If you have any problems setting up your capture environment, you should have a
+look at the guide mentioned above.
+
+[#ChCapCapturingSection]
+
+=== Start Capturing
+
+The following methods can be used to start capturing packets with Wireshark:
+
+* You can double-click on an interface in the <<ChCapInterfaceSection,welcome screen>>.
+
+* You can select an interface in the <<ChCapInterfaceSection,welcome screen>>, then select menu:Capture[Start] or click the first toolbar button.
+
+* You can get more detailed information about available interfaces using <<ChCapCaptureOptions>> (menu:Capture[Options...]).
+
+* If you already know the name of the capture interface you can start Wireshark from the command line:
+--
+----
+$ wireshark -i eth0 -k
+----
+--
+This will start Wireshark capturing on interface `eth0`. More details can be found at <<ChCustCommandLine>>.
+
+[#ChCapInterfaceSection]
+
+=== The “Capture” Section Of The Welcome Screen
+
+When you open Wireshark without starting a capture or opening a capture file it will display the “Welcome Screen,” which lists any recently opened capture files and available capture interfaces.
+Network activity for each interface will be shown in a sparkline next to the interface name.
+It is possible to select more than one interface and capture from them simultaneously.
+
+[#ChCapCaptureInterfacesMainWin32]
+
+.Capture interfaces on Microsoft Windows
+image::images/ws-capture-interfaces-main-win32.png[{screenshot-attrs}]
+
+[#ChCapCaptureInterfacesMainMacos]
+
+.Capture interfaces on macOS
+image::images/ws-capture-interfaces-main-macos.png[{screenshot-attrs}]
+
+Some interfaces allow or require configuration prior to capture.
+This will be indicated by a configuration icon
+(image:images/toolbar/x-capture-options.png[height=16,width=16])
+to the left of the interface name.
+Clicking on the icon will show the configuration dialog for that interface.
+
+Hovering over an interface will show any associated IPv4 and IPv6 addresses and its capture filter.
+
+Wireshark isn't limited to just network interfaces -- on most systems you can also capture USB, Bluetooth, and other types of packets.
+Note also that an interface might be hidden if it’s inaccessible to Wireshark or if it has been hidden as described in <<ChCapManageInterfacesSection>>.
+
+[#ChCapCaptureOptions]
+
+=== The “Capture Options” Dialog Box
+
+When you select menu:Capture[Options...] (or use the corresponding item in the
+main toolbar), Wireshark pops up the “Capture Options” dialog box as shown in
+<<ChCapCaptureOptionsDialog>>.
+If you are unsure which options to choose in this dialog box, leaving the defaults settings as they are should work well in many cases.
+
+[#ChCapCaptureOptionsDialog]
+.The “Capture Options” input tab
+image::images/ws-capture-options.png[{screenshot-attrs}]
+
+The “Input” tab contains the “Interface” table, which shows the following columns:
+
+Interface::
+The interface name.
++
+Some interfaces allow or require configuration prior to capture.
+This will be indicated by a configuration icon
+(image:images/toolbar/x-capture-options.png[height=16,width=16])
+to the left of the interface name.
+Clicking on the icon will show the configuration dialog for that interface.
+
+Traffic::
+A sparkline showing network activity over time.
+
+Link-layer Header::
+The type of packet captured by this interface.
+In some cases it is possible to change this.
+See <<ChCapLinkLayerHeader>> for more details.
+
+Promiscuous::
+Lets you put this interface in promiscuous mode while capturing.
+Note that another application might override this setting.
+
+Snaplen::
+The snapshot length, or the number of bytes to capture for each packet.
+You can set an explicit length if needed, e.g., for performance or privacy reasons.
+
+Buffer::
+The size of the kernel buffer that is reserved for capturing packets.
+You can increase or decrease this as needed, but the default is usually sufficient.
+
+Monitor Mode::
+Lets you capture full, raw 802.11 headers.
+Support depends on the interface type, hardware, driver, and OS.
+Note that enabling this might disconnect you from your wireless network.
+
+Capture Filter::
+The capture filter applied to this interface.
+You can edit the filter by double-clicking on it.
+See <<ChCapCaptureFilterSection>> for more details about capture filters.
+
+Hovering over an interface or expanding it will show any associated IPv4 and IPv6 addresses.
+
+If “Enable promiscuous mode on all interfaces” is enabled, the individual promiscuous mode settings above will be overridden.
+
+“Capture filter for selected interfaces” can be used to set a filter for more than one interface at the same time.
+
+btn:[Manage Interfaces] opens the <<ChCapManageInterfacesDialog>> where pipes can be defined, local interfaces scanned or hidden, or remote interfaces added.
+
+btn:[Compile Selected BPFs] opens <<ChCapCompiledFilterOutputDialog>>, which shows you the compiled bytecode for your capture filter.
+This can help to better understand the capture filter you created.
+
+
+[TIP]
+.Linux power user tip
+====
+The execution of BPFs can be sped up on Linux by turning on BPF Just In Time compilation by executing
+
+----
+$ echo 1 >/proc/sys/net/core/bpf_jit_enable
+----
+
+if it is not enabled already. To make the change persistent you can use
+link:{sysfs-main-url}[sysfsutils].
+====
+
+.The “Capture Options” output tab
+image::images/ws-capture-options-output.png[{screenshot-attrs}]
+
+The “Output” tab shows the following information:
+
+Capture to a permanent file::
+
+File:::
+This field allows you to specify the file name that will be used for the capture file.
+It is left blank by default.
+If left blank, the capture data will be stored in a temporary file.
+See <<ChCapCaptureFiles>> for details.
+You can also click on the button to the right of this field to browse through the filesystem.
+
+Output format:::
+Allows you to set the format of the capture file.
+pcapng is the default and is more flexible than pcap.
+pcapng might be required, e.g., if more than one interface is chosen for capturing.
+See {wireshark-wiki-url}Development/PcapNg for more details on pcapng.
+
+Create a new file automatically...::
+Sets the conditions for switching a new capture file.
+A new capture file can be created based on the following conditions:
+ * The number of packets in the capture file.
+ * The size of the capture file.
+ * The duration of the capture file.
+ * The wall clock time.
+
+Use a ring buffer with::
+Multiple files only.
+Form a ring buffer of the capture files with the given number of files.
+
+More details about capture files can be found in <<ChCapCaptureFiles>>.
+
+.The “Capture Options” options tab
+image::images/ws-capture-options-options.png[{screenshot-attrs}]
+
+The “Options” tab shows the following information:
+
+Display Options::
+
+Update list of packets in real-time:::
+Updates the packet list pane in real time during capture.
+If you do not enable this, Wireshark will not display any packets until you stop the capture.
+When you check this, Wireshark captures in a separate process and feeds the captures to the display process.
+
+Automatically scroll during live capture:::
+Scroll the packet list pane as new packets come in, so you are always looking at the most recent packet.
+Automatic scrolling is temporarily disabled when manually scrolling upwards or performing a <<ChUseTabGo,"Go" action>> so that the selected packet can be examined.
+It will resume upon manually scrolling to the end of the packet list.
+If you do not specify this Wireshark adds new packets to the packet list but does not scroll the packet list pane.
+This option has no effect if “Update list of packets in real-time” is disabled.
+
+Show capture information during capture:::
+If this option is enabled, the capture information dialog described in <<ChCapRunningSection>> will be shown while packets are captured.
+
+Name Resolution::
+
+Resolve MAC addresses:::
+Translate MAC addresses into names.
+
+Resolve network names:::
+Translate network addresses into names.
+
+Resolve transport names:::
+Translate transport names (port numbers).
+
+See <<ChAdvNameResolutionSection>> for more details on each of these options.
+
+Stop capture automatically after...::
+
+Capturing can be stopped based on the following conditions:
+
+* The number of packets in the capture file.
+* The number of capture files.
+* The capture file size.
+* The capture file duration.
+
+You can double click on an interface row in the “Input“ tab or click btn:[Start] from any tab to commence the capture. You can click btn:[Cancel] to apply your changes and close the dialog.
+
+[#ChCapManageInterfacesSection]
+
+=== The “Manage Interfaces” Dialog Box
+
+[#ChCapManageInterfacesDialog]
+.The “Manage Interfaces” dialog box
+image::images/ws-manage-interfaces.png[{screenshot-attrs}]
+
+The “Manage Interfaces” dialog box initially shows the “Local Interfaces” tab, which lets you manage the following:
+
+Show::
+Whether or not to show or hide this interface in the welcome screen and the “Capture Options” dialog.
+
+Friendly Name::
+A name for the interface that is human readable.
+
+Interface Name::
+The device name of the interface.
+
+Comment::
+Can be used to add a descriptive comment for the interface.
+
+// [[ChCapManageInterfacesPipesDialog]]
+
+// .The “Pipes” tab
+// image::images/ws-capture-options-manage-interfaces-pipes.png[{screenshot-attrs}]
+
+The “Pipes” tab lets you capture from a named pipe.
+To successfully add a pipe, its associated named pipe must have already been created.
+Click btn:[{plus}] and type the name of the pipe including its path.
+Alternatively, btn:[Browse] can be used to locate the pipe.
+
+To remove a pipe from the list of interfaces, select it and press btn:[-].
+
+// [[ChCapManageInterfacesDialog]]
+
+// === The “Add New Interfaces” dialog box
+
+// As a central point to manage interfaces this dialog box consists of three tabs
+// to add or remove interfaces.
+
+// .The “Add New Interfaces” dialog box
+// image::images/ws-capture-options-manage-interfaces.png[{screenshot-attrs}]
+
+// ==== Add or hide local interfaces
+
+// [[ChCapManageInterfacesLocalDialog]]
+// .The “Add New Interfaces - Local Interfaces” dialog box
+// image::images/ws-capture-options-manage-interfaces-local.png[{screenshot-attrs}]
+
+// The tab “Local Interfaces” contains a list of available local interfaces,
+// including the hidden ones, which are not shown in the other lists.
+
+// If a new local interface is added, for example, a wireless interface has been
+// activated, it is not automatically added to the list to prevent the constant
+// scanning for a change in the list of available interfaces. To renew the list a
+// rescan can be done.
+
+// One way to hide an interface is to change the preferences. If the “Hide”
+// checkbox is activated and the btn:[Apply] button clicked, the interface will
+// not be seen in the lists of the “Capture Interfaces” dialog box any more. The
+// changes are also saved in the `preferences` file.
+
+// ==== Add or hide remote interfaces
+
+// [[ChCapManageInterfacesRemoteDialog]]
+// .The “Add New Interfaces - Remote Interfaces” dialog box
+// image::images/ws-capture-options-manage-interfaces-remote.png[{screenshot-attrs}]
+
+On Microsoft Windows, the “Remote Interfaces” tab lets you capture from an interface on a different machine.
+The Remote Packet Capture Protocol service must first be running on the target platform before Wireshark can connect to it.
+
+On Linux or Unix you can capture (and do so more securely) through an SSH tunnel.
+
+To add a new remote capture interface, click btn:[{plus}] and specify the following:
+
+Host::
+The IP address or host name of the target platform where the Remote Packet Capture Protocol service is listening.
+The drop-down list contains the hosts that have previously been successfully contacted.
+The list can be emptied by choosing “Clear list” from the drop-down list.
+
+Port::
+Set the port number where the Remote Packet Capture Protocol service is listening on.
+Leave blank to use the default port (2002).
+
+Null authentication::
+Select this if you don’t need authentication to take place for a remote capture to be started.
+This depends on the target platform.
+This is exactly as secure as it appears, i.e., it is not secure at all.
+
+Password authentication::
+Lets you specify the username and password required to connect to the Remote Packet Capture Protocol service.
+
+Each interface can optionally be hidden.
+In contrast to the local interfaces, they are not saved in the `preferences` file.
+
+[NOTE]
+====
+Make sure you have outside access to port 2002 on the target platform.
+This is the default port used by the Remote Packet Capture Protocol service.
+====
+
+To remove a host including all its interfaces from the list, select it and click the btn:[-] button.
+
+// To access the Remote Capture Interfaces dialog use the “Remote Interfaces” tab of the “Manage Interfaces” dialog. See <<ChCapManageInterfacesRemoteDialog>> and select btn:[Add].
+
+// [[ChCapInterfaceRemoteDialog]]
+// .The “Remote Capture Interfaces” dialog box
+// image::images/ws-capture-options-manage-interfaces-remote-plus.png[{screenshot-attrs}]
+
+
+// ==== Remote Capture Settings
+
+// The remote capture can be further fine tuned to match your situation. The
+// btn:[Remote Interfaces] button in <<ChCapManageInterfacesDialog>> gives
+// you this option. It pops up the dialog shown in
+// <<ChCapInterfaceRemoteSettingsDialog>>.
+
+// [[ChCapInterfaceRemoteSettingsDialog]]
+// .The “Remote Capture Settings” dialog box
+// image::images/ws-capture-options-remote-settings.png[{screenshot-attrs}]
+
+// You can set the following parameters in this dialog:
+
+// _Do not capture own RPCAP traffic_::
+// This option sets a capture filter so that the traffic flowing back from the
+// Remote Packet Capture Protocol service to Wireshark isn’t captured as well and
+// also send back. The recursion in this saturates the link with duplicate traffic.
+// +
+// You only should switch this off when capturing on an interface other than the
+// interface connecting back to Wireshark.
+
+// _Use UDP for data transfer_::
+// Remote capture control and data flows over a TCP connection. This option allows
+// you to choose a UDP stream for data transfer.
+
+// _Sampling option None_::
+// This option instructs the Remote Packet Capture Protocol service to send back
+// all captured packets which have passed the capture filter. This is usually not a
+// problem on a remote capture session with sufficient bandwidth.
+
+// _Sampling option 1 of x packets_::
+// This option limits the Remote Packet Capture Protocol service to send only a sub
+// sampling of the captured data, in terms of number of packets. This allows
+// capture over a narrow band remote capture session of a higher bandwidth
+// interface.
+
+
+// _Sampling option 1 every x milliseconds_::
+// This option limits the Remote Packet Capture Protocol service to send only a sub
+// sampling of the captured data in terms of time. This allows capture over a
+// narrow band capture session of a higher bandwidth interface.
+
+// [[ChCapInterfaceDetailsSection]]
+
+// === The “Interface Details” dialog box
+
+// When you select Details from the Capture Interface menu, Wireshark pops up the
+// “Interface Details” dialog box as shown in <<ChCapInterfaceDetailsDialog>>. This
+// dialog shows various characteristics and statistics for the selected interface.
+
+// [NOTE]
+// .Microsoft Windows only
+// ====
+// This dialog is only available on Microsoft Windows
+// ====
+
+// [[ChCapInterfaceDetailsDialog]]
+// .The “Interface Details” dialog box
+// image::images/ws-capture-interface-details.png[{screenshot-attrs}]
+
+[#ChCapCompiledFilterOutputSection]
+
+=== The “Compiled Filter Output” Dialog Box
+
+This figure shows the results of compiling the BPF filter for the selected interfaces.
+
+[#ChCapCompiledFilterOutputDialog]
+
+.The “Compiled Filter Output” dialog box
+image::images/ws-capture-options-compile-selected-bpfs.png[{medium-screenshot-attrs}]
+
+In the list on the left the interface names are listed.
+The results of compiling a filter for the selected interface are shown on the right.
+
+[#ChCapCaptureFiles]
+
+=== Capture files and file modes
+
+While capturing, the underlying libpcap capturing engine will grab the packets
+from the network card and keep the packet data in a (relatively) small kernel
+buffer. This data is read by Wireshark and saved into a capture file.
+
+By default, Wireshark saves packets to a temporary file. You can also tell
+Wireshark to save to a specific (“permanent”) file and switch to a
+different file after a given time has elapsed or a given number of packets
+have been captured. These options are controlled in the
+“Capture Options” dialog's “Output” tab.
+
+[#ChCapCaptureOptionsOutputDialog]
+.Capture output options
+image::images/ws-capture-options-output.png[{screenshot-attrs}]
+
+[TIP]
+====
+Working with large files (several hundred MB) can be quite slow. If you plan to do
+a long-term capture or capturing from a high traffic network, think about using
+one of the “Multiple files” options. This will spread the captured packets over
+several smaller files which can be much more pleasant to work with.
+====
+
+Using the “Multiple files” option may cut context related information. Wireshark keeps
+context information of the loaded packet data, so it can report context related
+problems (like a stream error) and keeps information about context related
+protocols (e.g., where data is exchanged at the establishing phase and only
+referred to in later packets). As it keeps this information only for the loaded
+file, using one of the multiple file modes may cut these contexts. If the
+establishing phase is saved in one file and the things you would like to see is
+in another, you might not see some of the valuable context related information.
+
+Information about the folders used for capture files can be found in
+<<AppFiles>>.
+
+[#ChCapTabCaptureFiles]
+.Capture file mode selected by capture options
+[options="header",cols="2,2,2,3,5"]
+|===
+|File Name|“Create a new file...”|“Use a ring buffer...”|Mode|Resulting filename(s) used
+|-|-|-|Single temporary file|wireshark_<interface name>XXXXXX.pcap[ng]
+(<interface name> is the "friendly name" of the capture interface if available
+and the system name if not, when capturing on a single interface, and
+"N_interfaces" where N is the number of interfaces, when capturing on
+multiple interfaces; XXXXXX is a unique 6 character alphanumeric sequence.)
+|foo.cap|-|-|Single named file|foo.cap
+|foo.cap|x|-|Multiple files, continuous|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ...
+|foo.cap|x|x|Multiple files, ring buffer|foo_00001_20240714110102.cap, foo_00002_20240714110318.cap, ...
+|===
+
+Single temporary file::
+A temporary file will be created and used (this is the default).
+After capturing is stopped this file can be saved later under a user specified name.
+
+Single named file::
+A single capture file will be used.
+Choose this mode if you want to place the new capture file in a specific folder.
+
+Multiple files, continuous::
+Like the “Single named file” mode, but a new file is created and used after reaching one of the multiple file switch conditions (one of the “Next file every...” values).
+
+Multiple files, ring buffer::
+Much like “Multiple files continuous”, reaching one of the multiple files switch
+conditions (one of the “Next file every ...” values) will switch to the next
+file. This will be a newly created file if value of “Ring buffer with n files”
+is not reached, otherwise it will replace the oldest of the formerly used files
+(thus forming a “ring”).
++
+This mode will limit the maximum disk usage, even for an unlimited amount of
+capture input data, only keeping the latest captured data.
+
+[#ChCapLinkLayerHeader]
+
+=== Link-layer header type
+
+In most cases you won’t have to modify link-layer header type. Some exceptions
+are as follows:
+
+If you are capturing on an Ethernet device you might be offered a choice of
+“Ethernet” or “DOCSIS”. If you are capturing traffic from a Cisco Cable
+Modem Termination System that is putting DOCSIS traffic onto the Ethernet to be
+captured, select “DOCSIS”, otherwise select “Ethernet”.
+
+If you are capturing on an 802.11 device on some versions of BSD you might be
+offered a choice of “Ethernet” or “802.11”. “Ethernet” will cause the
+captured packets to have fake (“cooked”) Ethernet headers. “802.11” will
+cause them to have full IEEE 802.11 headers. Unless the capture needs to be read
+by an application that doesn’t support 802.11 headers you should select
+“802.11”.
+
+If you are capturing on an Endace DAG card connected to a synchronous serial
+line you might be offered a choice of “PPP over serial” or “Cisco HDLC”. If
+the protocol on the serial line is PPP, select “PPP over serial” and if the
+protocol on the serial line is Cisco HDLC, select “Cisco HDLC”.
+
+If you are capturing on an Endace DAG card connected to an ATM network you might
+be offered a choice of “RFC 1483 IP-over-ATM” or “Sun raw ATM”. If the only
+traffic being captured is RFC 1483 LLC-encapsulated IP, or if the capture needs
+to be read by an application that doesn’t support SunATM headers, select “RFC
+1483 IP-over-ATM”, otherwise select “Sun raw ATM”.
+
+[#ChCapCaptureFilterSection]
+
+=== Filtering while capturing
+
+Wireshark supports limiting the packet capture to packets that match a
+_capture filter_. Wireshark capture filters are written in
+libpcap filter language. Below is a brief overview of the libpcap filter
+language's syntax. Complete documentation can be found at
+the link:{pcap-filter-man-page-url}[pcap-filter man page]. You can find
+many Capture Filter examples at {wireshark-wiki-url}CaptureFilters.
+
+You enter the capture filter into the “Filter” field of the Wireshark
+“Capture Options” dialog box, as shown in <<ChCapCaptureOptionsDialog>>.
+
+A capture filter takes the form of a series of primitive expressions connected
+by conjunctions (__and/or__) and optionally preceded by __not__:
+
+----
+[not] primitive [and|or [not] primitive ...]
+----
+
+An example is shown in <<ChCapExFilt1>>.
+
+[#ChCapExFilt1]
+.A capture filter for telnet that captures traffic to and from a particular host
+====
+----
+tcp port 23 and host 10.0.0.5
+----
+====
+
+This example captures telnet traffic to and from the host 10.0.0.5, and shows
+how to use two primitives and the __and__ conjunction. Another example is shown
+in <<ChCapExFilt2>>, and shows how to capture all telnet traffic except that
+from 10.0.0.5.
+
+[#ChCapExFilt2]
+.Capturing all telnet traffic not from 10.0.0.5
+====
+----
+tcp port 23 and not src host 10.0.0.5
+----
+====
+
+// XXX - add examples to the following list.
+
+A primitive is simply one of the following: _[src|dst] host <host>_::
+This primitive allows you to filter on a host IP address or name. You can
+optionally precede the primitive with the keyword _src|dst_ to specify that you
+are only interested in source or destination addresses. If these are not
+present, packets where the specified address appears as either the source or the
+destination address will be selected.
+
+ether [src|dst] host <ehost>::
+This primitive allows you to filter on Ethernet host addresses. You can
+optionally include the keyword _src|dst_ between the keywords _ether_ and _host_
+to specify that you are only interested in source or destination addresses. If
+these are not present, packets where the specified address appears in either the
+source or destination address will be selected.
+
+gateway host <host>::
+This primitive allows you to filter on packets that used _host_ as a gateway.
+That is, where the Ethernet source or destination was _host_ but neither the
+source nor destination IP address was _host_.
+
+[src|dst] net <net> [{mask <mask>}|{len <len>}]::
+This primitive allows you to filter on network numbers. You can optionally
+precede this primitive with the keyword _src|dst_ to specify that you are only
+interested in a source or destination network. If neither of these are present,
+packets will be selected that have the specified network in either the source or
+destination address. In addition, you can specify either the netmask or the CIDR
+prefix for the network if they are different from your own.
+
+
+[tcp|udp] [src|dst] port <port>::
+This primitive allows you to filter on TCP and UDP port numbers. You can
+optionally precede this primitive with the keywords _src|dst_ and _tcp|udp_
+which allow you to specify that you are only interested in source or destination
+ports and TCP or UDP packets respectively. The keywords _tcp|udp_ must appear
+before _src|dst_.
++
+If these are not specified, packets will be selected for both the TCP and UDP
+protocols and when the specified address appears in either the source or
+destination port field.
+
+less|greater <length>::
+This primitive allows you to filter on packets whose length was less than or
+equal to the specified length, or greater than or equal to the specified length,
+respectively.
+
+ip|ether proto <protocol>::
+This primitive allows you to filter on the specified protocol at either the
+Ethernet layer or the IP layer.
+
+ether|ip broadcast|multicast::
+This primitive allows you to filter on either Ethernet or IP broadcasts or
+multicasts.
+
+<expr> relop <expr>::
+This primitive allows you to create complex filter expressions that select bytes or ranges of bytes in packets.
+Please see the pcap-filter man page at {pcap-filter-man-page-url} for more details.
+
+
+[#ChCapCaptureAutoFilterSection]
+
+==== Automatic Remote Traffic Filtering
+
+If Wireshark is running remotely (using e.g., SSH, an exported X11 window, a
+terminal server, ...), the remote content has to be transported over the
+network, adding a lot of (usually unimportant) packets to the actually
+interesting traffic.
+
+To avoid this, Wireshark tries to figure out if it’s remotely connected (by
+looking at some specific environment variables) and automatically creates a
+capture filter that matches aspects of the connection.
+
+The following environment variables are analyzed:
+
+`SSH_CONNECTION` (ssh)::
+<remote IP> <remote port> <local IP> <local port>
+
+
+`SSH_CLIENT` (ssh)::
+<remote IP> <remote port> <local port>
+
+
+`REMOTEHOST` (tcsh, others?)::
+<remote name>
+
+`DISPLAY` (x11)::
+[remote name]:<display num>
+
+
+`SESSIONNAME` (terminal server)::
+<remote name>
+
+On Windows it asks the operating system if it’s running in a Remote Desktop Services environment.
+
+[#ChCapRunningSection]
+
+=== While a Capture is running ...
+
+You might see the following dialog box while a capture is running:
+
+[#ChCapCaptureInfoDialog]
+.The “Capture Information” dialog box
+image::images/ws-capture-info.png[{small-screenshot-attrs}]
+
+This dialog box shows a list of protocols and their activity over time.
+It can be enabled via the “capture.show_info” setting in the “Advanced”
+preferences.
+
+[#ChCapStopSection]
+
+==== Stop the running capture
+
+A running capture session will be stopped in one of the following ways:
+
+. The btn:[Stop Capture] button in the “Capture Information” dialog box.
+
+. The menu:Capture[Stop] menu item.
+
+. The btn:[Stop] toolbar button.
+
+. Pressing kbd:[Ctrl+E].
+
+. The capture will be automatically stopped if one of the _Stop Conditions_ is
+ met, e.g., the maximum amount of data was captured.
+
+[#ChCapRestartSection]
+
+==== Restart a running capture
+
+A running capture session can be restarted with the same capture options as the
+last time, this will remove all packets previously captured. This can be useful,
+if some uninteresting packets are captured and there’s no need to keep them.
+
+Restart is a convenience function and equivalent to a capture stop following by
+an immediate capture start. A restart can be triggered in one of the following
+ways:
+
+. Using the menu:Capture[Restart] menu item.
+
+. Using the btn:[Restart] toolbar button.
+
+// End of WSUG Chapter Capture