Setting up a Long-Term Capture (Ring Buffers)
By Phill “Sherlock” Shade
Regardless of the discipline, nothing strikes fear and despair into the heart of an Engineer faster than hearing the words “Random” or “Intermittent” uttered while describing an issue. However, in the packet world, these words are not necessarily cause for despair, assuming you know what to do of course.
The answer lies within a seldom visited section of Wireshark known as the “Capture Options”. Numerous times, the proper use of this feature has turned a seemingly impossible investigation into a simple exercise in patience.
- Locate “Capture Options”:
- Select the correct adapter for the capture:
(Note – This is perhaps the area of the most common mistake, so pay special attention and ensure you have the correct adapter selected)
- Configure the Ring Buffer parameters as shown below:
(Note – The settings you choose will depend on a number of factors such as: storage location, storage space available, desired window of data to be collected, etc. Expect to spend some time experimenting to determine to optimum mix of settings for your unique requirements.)
I hope that you found this information useful! This technique and many others are covered in our class:
“TCP/IP Analysis and Troubleshooting with Wireshark“. For additional information on this class and our numerous other offerings, please see our website:
https://www.cybersecurityinstitute.eu/ and look under the Courses Menu.