I'm using Wireshark under windows. And I need to capture packets from a Linux-based router.
How do I limit packet size when I use SSH remote capture?
in the capture option window, I can set a limit for other interfaces but not for SSH remote capture
screenshot: https://i.stack.imgur.com/G5iEB.png
Thanks!
in the capture option window, I can set a limit for other interfaces but not for SSH remote capture
"Other interfaces" presumably means "interfaces other than the ones that have 'remote capture' in their names"; there's no ability to limit the packet size for Cisco or UDP Listener capture, either.
Those three are called "extcaps" (for "external capture"), and they work differently from the other interfaces; the other interfaces use the de facto standard APII for capturing (libpcap), but the "extcaps" use a separate program from Wireshark (some of which, such as those, are shipped with Wireshark, but they can also be provided by third parties).
I'll have to check whether there's a way for an "extcap" to indicate that it directly supports a "snapshot length" parameter to limit the packet size, but, even if it does, none of those extcaps support it.
So that's the bad news.
The good news is that, if you capture from the main Wireshark window rather than the "Capture Options" window, there should be, for all extcaps, an icon to the left of the interface name that look ssort of like a gear. If you click on the icon for a particular interface, it should pop up a dialog window to let you set parameters for the interface.
For SSH remote capture, there are four "tabs" in the dialog. If you select the "Capture" dialog, one option is "remote capture command"; that option specifies a command to run on the remote machine to do the capturing. If it's not specified, Wireshark constructs a tcpdump command; if it is, Wireshark just uses the command you specify.
The command should be something such as
tcpdump -i <interface> -s <packet size limit> '<filter>'
where <interface> is the name of the interfaces on the Linux machine, <packet size limit> is the packet size limit you want, and <filter> (the quotes around it are not always required, but they might be, so it's probably a Good Idea to use them) is the capture filter you want (if you want all packets, leave the filter, and the quotes around it, out). If you don't want to capture in promiscuous mode, add -p before '<filter>'; if you don't want to capture more than some number of packets, add -c <packet count>, where <packet count> is the maximum number of packets, before '<filter>'.
And please file an issue about the inability to specify snapshot lengths to various extcaps on the Wireshark issue list.
Asked: 2022-08-04 04:31:56 +0000
Seen: 314 times
Last updated: Aug 04 '22
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.