WEBVTT

00:00.300 --> 00:04.950
In this lecture, we are going to cover two interesting topics.

00:04.980 --> 00:13.260
One, how to automatically split packets into multiple files during Wireshark capture session.

00:13.260 --> 00:20.480
And two, how to automatically stop capturing packets based on different parameters.

00:20.490 --> 00:21.010
Right?

00:21.030 --> 00:26.010
So let's start with splitting packets into multiple files.

00:26.040 --> 00:33.480
Wireshark Files can easily get very large, right when you start capturing packets.

00:33.510 --> 00:41.940
Your capture file size can easily go in hundreds of megabytes or even in gigabytes.

00:41.970 --> 00:42.510
Right?

00:42.540 --> 00:51.240
Once your capture size goes beyond 500 megabytes, then Wireshark starts slowing down.

00:51.450 --> 00:53.970
Large files create problems.

00:54.060 --> 01:02.970
When you open a large file of, let's say, 500 megabytes or one gigabytes, then your Wireshark will

01:02.970 --> 01:04.790
not work properly.

01:04.800 --> 01:10.830
It will slow down, and you might experience frequent crashes as well.

01:10.860 --> 01:21.090
So to manage large files effectively, Wireshark allows us to save captured packets into multiple files

01:21.090 --> 01:24.360
automatically during the capture session.

01:24.390 --> 01:31.350
We can restrict how many packets we want to save in a single file.

01:31.380 --> 01:33.740
Wireshark does it automatically.

01:33.750 --> 01:36.000
Now let's do it practically.

01:36.000 --> 01:41.860
So go to the capture, click on options and now click on output tab here.

01:41.880 --> 01:43.140
Click on the button.

01:43.140 --> 01:45.810
Create a new file automatically.

01:46.200 --> 01:49.060
Options below it have been enabled.

01:49.110 --> 01:56.770
Right now we can create a new file automatically based on these available parameters.

01:56.820 --> 01:57.150
Right.

01:57.150 --> 01:59.880
We will go through each option.

01:59.880 --> 02:03.240
So let's start with the first option.

02:03.240 --> 02:04.720
So click on the button.

02:04.740 --> 02:09.660
Now this option creates a new file automatically.

02:09.660 --> 02:19.320
When Wireshark saves the specified amount of packets in a file, the default number is 100,000.

02:19.320 --> 02:23.430
So let me put, let's say 500 in this box.

02:23.460 --> 02:29.640
Now, Wireshark is going to save 500 packets in every file.

02:29.670 --> 02:39.540
After saving 500 packets in a file, then Wireshark will automatically create a new file and save next

02:39.540 --> 02:41.800
500 packets there.

02:41.820 --> 02:50.080
So, guys, whatever number you put in here, Wireshark is going to save that many packets in a file.

02:50.100 --> 02:52.860
Then it will switch to the next file.

02:52.920 --> 02:59.360
Right now, we have to specify the destination where the files will be saved.

02:59.430 --> 03:01.710
So go to the Browse.

03:01.740 --> 03:05.310
Now, give a base name to your file.

03:05.370 --> 03:06.510
Let's say base.

03:06.750 --> 03:12.290
Now, Wireshark is going to save files in the following format.

03:12.330 --> 03:15.490
First file will be saved with something like this.

03:15.510 --> 03:21.600
Base one, then second file base two, third base three, then base four.

03:21.600 --> 03:22.380
So on.

03:22.380 --> 03:28.850
Right now click on Save and you can choose the output format.

03:28.860 --> 03:30.990
A default is Pcap and G.

03:31.140 --> 03:33.540
You can also go for Pcap as well.

03:33.540 --> 03:36.360
I'm going to let it be Pcap and G.

03:36.360 --> 03:42.450
Then you can choose whether you want to compress the files or not.

03:42.480 --> 03:46.350
If you want to compress, then click on GZIP right again.

03:46.350 --> 03:53.340
I'm going to go with the default set up now before starting the capture session.

03:53.340 --> 03:59.490
Make sure that you have selected the interface right now.

03:59.490 --> 04:00.930
Click on Start.

04:02.800 --> 04:08.440
As you can see, Gates shark is automatically creating and switching files.

04:08.580 --> 04:15.580
Okay, now let me stop the session and check whether new files have been created or not.

04:17.150 --> 04:20.720
As you can see, these files have been created.

04:20.750 --> 04:26.760
Right now, let's check the amount of packets saved in every file.

04:26.780 --> 04:31.770
So let me open the first file and click on the down arrow.

04:31.790 --> 04:37.640
As you can see, guys, inside this file, I have exactly 500 packets.

04:37.760 --> 04:39.920
Let me check another file.

04:40.370 --> 04:42.200
Second file.

04:42.320 --> 04:47.210
And inside this file also, we should have 500 packets.

04:47.240 --> 04:47.810
Right.

04:48.140 --> 04:54.110
So, guys, Wireshark added exactly what we told it to do.

04:54.140 --> 04:57.390
Save 500 packets in every file.

04:57.410 --> 05:02.380
As you can see down here, each file is going to have 500 packets.

05:02.390 --> 05:03.020
Right?

05:03.080 --> 05:06.290
Now I'm going to demonstrate the second option.

05:06.290 --> 05:11.120
So let me select the first option and click on the second option.

05:11.180 --> 05:20.400
Now, this option creates a new file automatically when your file exceeds the specified size.

05:20.430 --> 05:20.900
Right.

05:20.900 --> 05:24.610
So let me put in here, let's say 200.

05:24.620 --> 05:35.200
Now, Wireshark is going to create a new file automatically when your file size becomes 200 kilobytes,

05:35.210 --> 05:42.260
and it will keep repeating it as long as Wireshark is capturing the packets.

05:42.320 --> 05:46.820
Right now, the default selected option is kilobytes.

05:47.000 --> 05:51.050
We can also go for megabytes and gigabytes as well.

05:51.080 --> 05:52.550
Click on a dropdown.

05:52.670 --> 05:53.030
Right.

05:53.030 --> 05:56.450
As you can see, we have megabytes and gigabytes as well.

05:56.480 --> 06:00.260
I'm going to switch back to the default kilobytes.

06:00.290 --> 06:08.090
Again, we have to specify the destination where you want to save the files.

06:08.300 --> 06:13.370
Here again, you have to give a base name to your file base.

06:13.400 --> 06:14.810
Click on Save.

06:15.170 --> 06:18.440
Make sure that you have selected the interface.

06:18.830 --> 06:21.230
Now let me click on Start Button.

06:22.720 --> 06:26.540
And as you can see, files are being automatically generated.

06:26.710 --> 06:31.640
Right now, let me stop the session and check the files.

06:31.650 --> 06:34.380
So go to the file, click on Open.

06:36.330 --> 06:45.340
As you can see, Wireshark has created six files file size of first file is 195 kilobytes.

06:45.360 --> 06:48.540
Size of second file is 196 kilobytes.

06:48.540 --> 06:53.330
So size of each file is close to 200 kilobytes.

06:53.340 --> 06:57.570
The actual size on the disk is 200 kilobytes.

06:57.720 --> 07:07.440
Again, whatever size you put in here, Wireshark is going to create a new file after saving the specified

07:07.440 --> 07:10.530
amount of kilobytes in the file.

07:10.800 --> 07:15.390
Now, guys, you can try next two options by yourself.

07:15.420 --> 07:17.520
They are very simple.

07:17.520 --> 07:28.110
So third option is basically going to create a new file after capturing packets for the specified time.

07:28.200 --> 07:31.520
Let me put in, let's see, ten here.

07:31.530 --> 07:36.920
Now, Wireshark is going to capture packets for 10 seconds.

07:36.930 --> 07:40.140
Then after that it will create a new file.

07:40.170 --> 07:51.030
So Wireshark creates a new file in every 10 seconds, now that we have learned how to evenly distribute

07:51.030 --> 07:53.470
packets into multiple files.

07:53.490 --> 08:02.010
Now let's move to the auto stop means how to automatically stop capturing packets, right?

08:02.010 --> 08:04.970
So click on options.

08:04.980 --> 08:12.270
Now here as you can see, stop capture automatically after based on these different parameters.

08:12.270 --> 08:18.300
So let me select the first option and let me put in here, let's say 1000.

08:18.330 --> 08:27.870
Now Wireshark is automatically going to stop capturing packets after it captures 10,000 packets or whatever

08:27.870 --> 08:30.060
number you put in here.

08:30.060 --> 08:30.660
Right.

08:30.900 --> 08:37.320
So I'm going to go back to output and deselect this option for now, create a new file automatically.

08:37.590 --> 08:39.570
Now let me click on Start.

08:42.030 --> 08:46.110
As you can see, guys, after capturing 1000 packets.

08:46.140 --> 08:48.450
Wireshark Automatically stop.

08:48.660 --> 08:49.280
Right?

08:49.290 --> 08:54.810
So this is exactly what I told Wireshark to do, right?

08:54.840 --> 08:58.710
Stop automatically after capturing thousand packets.

08:58.920 --> 09:02.460
Now let's move to the next option.

09:02.460 --> 09:08.010
I'm going to select the first one and select the second option files.

09:08.040 --> 09:18.270
Wireshark is automatically going to stop capturing packets after creating specified amount of files.

09:18.390 --> 09:20.050
Default number is one.

09:20.070 --> 09:22.740
Now, let me put here, let's say five.

09:22.770 --> 09:30.450
Now, to make this option work, we have to coordinate with this feature, create a new file automatically.

09:30.450 --> 09:32.190
So we have to enable it.

09:32.220 --> 09:35.790
Now, here we have to choose one of these options.

09:35.790 --> 09:38.280
So I'm going to go with the first option.

09:38.490 --> 09:43.320
I'm going to put 200 packets in every file.

09:43.380 --> 09:45.450
Right now, what Wireshark is going to do.

09:45.480 --> 09:53.250
Wireshark will create a new file automatically after saving or capturing 200 packets.

09:53.280 --> 09:53.730
Right.

09:53.730 --> 10:03.870
And when it creates five files or whatever a number you specify here, then Wireshark is going to automatically

10:03.870 --> 10:06.310
stop capturing the packets.

10:06.330 --> 10:13.860
Right now, again, we have to specify the location for saving the files base.

10:14.280 --> 10:15.690
Click on Save.

10:15.870 --> 10:18.420
Now let me start capturing packets.

10:21.690 --> 10:25.320
As you can see, Wireshark has automatically stopped.

10:25.590 --> 10:30.570
Now, let's actually check the output options.

10:30.570 --> 10:31.530
Output.

10:32.230 --> 10:37.550
As you can see, guys, Wireshark created exactly five files.

10:37.570 --> 10:40.360
After that, it automatically stop.

10:40.610 --> 10:47.830
All right, so this is exactly what we instructed Wireshark to do here.

10:47.860 --> 10:57.820
Stop the Wireshark automatically after creating five files, and each file should have 200 packets.

10:57.940 --> 11:00.990
Then we have a last option.

11:01.000 --> 11:07.870
If you click on it now, put in a number, let's say 100.

11:07.960 --> 11:18.100
Now, Wireshark is automatically going to stop capturing packets when it runs for 100 seconds.

11:18.130 --> 11:22.270
After that, it will automatically stop capturing packets.

11:22.300 --> 11:27.130
Of course, you can go with the minutes or hours as well.