Does anyone have a simple filter for capturing headers only.

asked 19 May '11, 05:37

mooseman's gravatar image

mooseman
16112
accept rate: 0%


You can try to go with slicing the frames to the first # of bytes, but there is no simple filter that will exactly capture certain headers only afaik.

Just open the capture options and put a check mark next to "Limit each packet to" and put in the number of bytes you want to capture. Usually you should go for at least 54 bytes (14 bytes Ethernet header, 20 IP, 20 TCP, unless IP or TCP are using a lot of optional "Option" headers). For SMB and other higher protocol header you'll need to go for 128 or even more bytes.

link

answered 19 May '11, 05:46

Jasper's gravatar image

Jasper ♦
16.1k338212
accept rate: 17%

Wireshark filters (both capture and display filters) only select which packets to capture or display, they do not select which information within a packet to display. So it is not possible to use a filter to only show certain headers. The only way to limit this is to actually cut the extra data of as Jasper has explained.

(19 May '11, 06:06) SYN-bit ♦♦

I am using the 1.8.3 version and I am having the same problem, I want to capture only the headers not the payload. I am having a hard time finding the option to limit each packet in this new version of Wireshark. Can anyone help me with that?

(09 Nov '12, 07:54) mikidi

open the capture options dialog and double click on the network card row of the card you want to use.

(09 Nov '12, 07:59) Jasper ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×105

Asked: 19 May '11, 05:37

Seen: 10,309 times

Last updated: 09 Nov '12, 07:59

powered by OSQA