Does anyone have a simple filter for capturing headers only.
asked 19 May '11, 05:37
You can try to go with slicing the frames to the first # of bytes, but there is no simple filter that will exactly capture certain headers only afaik.
Just open the capture options and put a check mark next to "Limit each packet to" and put in the number of bytes you want to capture. Usually you should go for at least 54 bytes (14 bytes Ethernet header, 20 IP, 20 TCP, unless IP or TCP are using a lot of optional "Option" headers). For SMB and other higher protocol header you'll need to go for 128 or even more bytes.
answered 19 May '11, 05:46