This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture filter

0

I am not that computer literate and have lost tons of data to 'unknown' uploads and downloads. Service provider Afrihost encouraged me to download Wire Shark. I have managed to do this but on opening the program it asks for the 'capture filter'. I have no clue what this means and how to move forward from here. HELP!please

asked 29 Apr '16, 08:22

allandavidharvey's gravatar image

allandavidha...
6112
accept rate: 0%

It depends on what you want to achieve, i.e. what is the ultimate goal of using Wireshark. The capture filter is not mandatory, so you can capture without specifying one; it becomes useful when you know exactly what you are doing, and you can afford to exclude some packets from the capture because you are sure you won't ever be interested in them.

(29 Apr '16, 10:52) sindy

One Answer:

0

OK, after second reading I've understood that your goal is to find out what has your PC spent the data volume for. In that case, don't use any capture filter, and after capturing the traffic for a couple of minutes (for training) and then rather for hours, go Statistics->Conversations->IPv4 to get a list of all conversations between your PC and some other machines in the internet. Then, sort these conversations by Bytes A->B and then Bytes B->A, descending in both cases (by clicking at the column header twice), so that you could see the most heavy conversations at the top of the table. Then, you'll want to find out what these conversations actually were good for.

By experience, the candidates for data hogs are

  • automatic software upgrades (of both the operating system and applications)

  • youtube or other videos

  • some malware sending tons of spam from your PC

answered 29 Apr '16, 11:55

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%