Limiting capture volume

When capturing packets, limiting the volume of packets captured is important. Set limits on the capture so that it captures enough relevant traffic to troubleshoot the problem. If the limit is too low, the capture may be missing important details. If the limit is too high, there may be too much noise to sort through to find the problem.

Note

Capture files also consume disk space, which can be a factor on systems with smaller drives. Large captures will also take more time to download, which can be a concern on remote systems with slow WAN upload capacity.

When capturing without filtering on most networks, even for short time frame, huge amounts of data will end up in the capture to dig through when attempting to locate the problem. Display filters in Wireshark can limit which parts of an existing capture file are shown, but filtering appropriately at the time of capture is preferable to keep the capture file size down and to reduce processing time. Filters are discussed later in this chapter.

With an appropriate filter and packet count, capture files can be manageable and contain useful information.