Hi There , is it possible to configure wireshark to only capture IP headers , NO payload/data ? if there is a way , can we set it as a default setting and only administrator of the PC should be able to change this setting . is it possible ? please help advise . Thank you very much . asked 04 Nov '14, 20:49  pvsrnaidu |
One Answer:
When configuring a capture on an interface you can limit the amount of bytes capture per packet. Setting this parameter just right allows you to get the IP headers you seek. Mind you, if there are additional fields in front or in the IP header (like options), you have to accommodate for that amount as well. This causes inclusion of next protocol headers if these fields are not present. In short, the capture engine has no knowledge of where the IP header ends, hence cannot cutoff capture at that point. (This would be an interesting item to engineer into the packet filter) These settings cannot be fixed in any way you described. From the looks of it it seems as though you should look into other means to capture / sanitize your traffic, before feeding it to Wireshark. answered 05 Nov '14, 03:56  Jaap ♦ |
