Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

in the capture option window, I can set a limit for other interfaces but not for SSH remote capture

"Other interfaces" presumably means "interfaces other than the ones that have 'remote capture' in their names"; there's no ability to limit the packet size for Cisco or UDP Listener capture, either.

Those three are called "extcaps" (for "external capture"), and they work differently from the other interfaces; the other interfaces use the de facto standard APII for capturing (libpcap), but the "extcaps" use a separate program from Wireshark (some of which, such as those, are shipped with Wireshark, but they can also be provided by third parties).

I'll have to check whether there's a way for an "extcap" to indicate that it directly supports a "snapshot length" parameter to limit the packet size, but, even if it does, none of those extcaps support it.

So that's the bad news.

The good news is that, if you capture from the main Wireshark window rather than the "Capture Options" window, there should be, for all extcaps, an icon to the left of the interface name that look ssort of like a gear. If you click on the icon for a particular interface, it should pop up a dialog window to let you set parameters for the interface.

For SSH remote capture, there are four "tabs" in the dialog. If you select the "Capture" dialog, one option is "remote capture command"; that option specifies a command to run on the remote machine to do the capturing. If it's not specified, Wireshark constructs a tcpdump command; if it is, Wireshark just uses the command you specify.

The command should be something such as

tcpdump -i <interface> -s <packet size limit> '<filter>'

where <interface> is the name of the interfaces on the Linux machine, <packet size limit> is the packet size limit you want, and <filter> (the quotes around it are not always required, but they might be, so it's probably a Good Idea to use them) is the capture filter you want (if you want all packets, leave the filter, and the quotes around it, out). If you don't want to capture in promiscuous mode, add -p before '<filter>'; if you don't want to capture more than some number of packets, add -c <packet count>, where <packet count> is the maximum number of packets, before '<filter>'.

And please file an issue about the inability to specify snapshot lengths to various extcaps on the Wireshark issue list.