Limit Capture Size in Tshark

Introduction

In this lab, you will learn to control packet capture size in Wireshark using Tshark commands. You'll explore two essential techniques: limiting total packets with -c 500 and restricting packet length with -s 128 to capture only headers while saving storage space.

Through practical exercises on the eth1 interface, you'll capture traffic into limited.pcap and observe how different settings affect your captures. This hands-on experience will help you optimize packet collection for various analysis scenarios.

Set Packet Count with -c 500

In this step, you'll learn how to control packet capture duration by limiting the number of packets Tshark collects. Tshark is the command-line version of Wireshark, ideal for automated captures. The -c option is particularly valuable when you need a representative sample of network traffic without overwhelming your system with continuous capture.

Begin by opening the terminal in your LabEx VM. The system automatically places you in the correct working directory (~/project), so you can start immediately.
The command structure uses this basic pattern:
```
tshark -c [number] [other options]
```
Here, [number] determines exactly when the capture stops by specifying the maximum packets to collect. This prevents indefinite runs that could fill your storage.
First, let's identify available network interfaces. Run the following command:
```
tshark -D
```
You will see a list of interfaces, similar to this:
```
1. eth0
2. eth1 (Dummy interface)
3. any
4. lo (Loopback)
...
```
We will use eth1 for our captures, as it's a dummy interface created for this lab to ensure consistent traffic generation.
Let's capture 500 packets as our main exercise. Execute this command:
```
tshark -c 500 -i eth1
```
The sudo command is required because packet capture needs administrative privileges. This tells tshark to monitor the eth1 network connection.
To generate some traffic for tshark to capture, open a new terminal tab (or split the current terminal) and run the following command:
```
ping -c 10 google.com
```
This will send 10 ICMP packets to google.com, creating network activity on eth1 that tshark can capture.

As packets flow, you'll see real-time output in the tshark terminal. After exactly 500 packets, tshark automatically terminates. The output will look similar to this (though it will be much longer for 500 packets):

Capturing on 'eth1'
    1 0.000000000 192.168.X.X -> 142.250.X.X ICMP 84 Echo (ping) request  id=0xXXXX, seq=1/256, ttl=64 (reply in 2)
    2 0.000000000 142.250.X.X -> 192.168.X.X ICMP 84 Echo (ping) reply    id=0xXXXX, seq=1/256, ttl=117 (request in 1)
... (many more lines)
500 packets captured

Before the full 500-packet capture, test with a smaller sample to understand the mechanism. This 10-packet trial helps verify your setup:
```
tshark -c 10 -i eth1
```
Remember to generate traffic in another terminal while this command is running.

Define Snapshot Length with -s 128

In this step, you will learn how to set the snapshot length (snaplen) when capturing packets using the -s option in Tshark. This determines how much of each packet is captured, with 128 bytes being a common value that captures packet headers while conserving storage space. The snapshot length is particularly useful when you only need packet headers for analysis rather than full packet contents.

First, ensure you're in the default working directory ~/project in your terminal. This is where we'll run all our capture commands to keep things organized.
The snapshot length option (-s) limits how much of each packet is captured by specifying the number of bytes to record. Smaller values save disk space but may miss important payload data. The basic syntax is:
```
tshark -s [length] [other options]
```
Let's capture packets with a snapshot length of 128 bytes combined with the packet count from the previous step. This command will capture the first 128 bytes of each packet until it reaches 500 packets:
```
tshark -c 500 -s 128 -i eth1
```
Remember to generate traffic in a separate terminal (e.g., ping -c 10 google.com) while tshark is running.
You'll see output showing the first 128 bytes of each packet. The capture will automatically stop after 500 packets as specified by the -c option. This combination helps manage both capture size and duration. The output will be similar to the previous step, but the packet details might be truncated if they exceed 128 bytes.
```
Capturing on 'eth1'
    1 0.000000000 192.168.X.X -> 142.250.X.X ICMP 84 Echo (ping) request  id=0xXXXX, seq=1/256, ttl=64 (reply in 2)
... (many more lines)
500 packets captured
```
To better understand how snapshot length affects captures, try these comparison commands. Notice how the amount of data displayed changes with different -s values. Remember to generate traffic for each command.
```
tshark -c 5 -s 64 -i eth1 ## Captures only 64 bytes per packet
tshark -c 5 -s 0 -i eth1  ## Captures entire packets (default)
```
The -s 0 setting tells tshark to capture the full packet, which is useful when you need complete packet contents but consumes more storage space.

Capture Traffic with -i eth1

In this step, we'll focus on capturing network traffic from a specific interface using Tshark's -i option. Network interfaces are the physical or virtual connections your computer uses to communicate with networks. When you have multiple interfaces (like Wi-Fi and Ethernet), specifying the correct one is crucial for targeted packet analysis.

Open your terminal and navigate to the working directory:
```
cd ~/project
```
The -i flag tells Tshark which network interface to monitor. The basic command structure is:
```
tshark -i [interface] [other options]
```
Here, [interface] should be replaced with your actual interface name, typically eth1 for our lab environment.
Now let's combine this with what we've learned about packet limits (-c) and snapshot length (-s). This command will capture 500 packets from the eth1 interface, saving only the first 128 bytes of each packet:
```
tshark -c 500 -s 128 -i eth1
```
The sudo is required because packet capture needs administrative privileges.
To generate test traffic while capturing, open another terminal tab and run:
```
ping -c 3 google.com
```
This sends 3 ICMP packets to Google's servers, which should appear in your capture. Watching these known packets helps verify your capture is working correctly.
The capture will automatically stop after 500 packets, but you can manually stop it anytime by pressing:
```
Ctrl+C
```
This keyboard interrupt safely terminates the capture process while preserving any captured data.

Save to File with -w limited.pcap

In this step, you'll learn how to save captured network traffic to a file for later analysis. The -w option in Tshark creates a packet capture (pcap) file that preserves all the captured network data. This is particularly useful when you need to examine traffic patterns offline or share captures with colleagues.

Before starting, make sure your terminal is in the correct working directory. Type:
```
cd ~/project
```
This ensures all your capture files will be saved in the designated project folder.
The -w flag tells Tshark where to store the captured packets. The basic command structure is:
```
tshark -w [filename] [other options]
```
The filename should end with .pcap extension, which is the standard format for packet capture files.
Now let's combine all the options we've learned so far into a practical example. This command will:
- Capture exactly 500 packets (-c 500)
- Limit each packet to 128 bytes (-s 128)
- Listen on the eth1 interface (-i eth1)
- Save everything to a file called limited.pcap (-w limited.pcap)
```
tshark -c 500 -s 128 -i eth1 -w limited.pcap
```
While tshark is running, open another terminal window to generate some test traffic. These commands will create typical network activity:
```
ping -c 3 google.com
curl http://example.com
```
This simulated traffic will be captured by our running tshark session.
After capturing 500 packets (or press Ctrl+C to stop earlier), verify your capture file exists and check its size:
```
ls -lh limited.pcap
```
The output shows the file details including size and creation time, similar to this:
```
-rw-r--r-- 1 root root 56K Aug 10 XX:XX limited.pcap
```
To review your captured packets later, you have two main options:
- Using tshark (command-line):
```
tshark -r limited.pcap
```
  This displays the packet contents exactly as they were captured, allowing you to analyze the traffic at your convenience.
- Using wireshark (GUI):
  
  Note: You need to run this command in the Desktop Interface.
```
wireshark limited.pcap &
```
  This will open the limited.pcap file in the Wireshark graphical user interface, providing a more visual and interactive way to analyze the captured packets. The & at the end runs the command in the background, so you can continue using your terminal.

Summary

In this lab, you have learned to control packet capture size in Tshark using essential command-line parameters. You practiced limiting packet counts with -c 500 and restricting packet length with -s 128, observing how these options affect capture behavior and storage efficiency.

The exercises demonstrated combining these techniques with interface selection (-i eth1) for targeted traffic analysis. Through commands like tshark -c 500 -s 128 -i eth1 -w limited.pcap, you gained hands-on experience in applying multiple capture constraints simultaneously and saving the results for offline analysis using both tshark and wireshark.