Capturing live network data is one of the major features of Wireshark.
The Wireshark capture engine provides the following features:
- Capture from different kinds of network hardware such as Ethernet or 802.11.
- Simultaneously capture from multiple network interfaces.
- Stop the capture on different triggers such as the amount of captured data,
elapsed time, or the number of packets.
- Simultaneously show decoded packets while Wireshark is capturing.
- Filter packets, reducing the amount of data to be captured. See
Section 4.10, “Filtering while capturing”.
- Save packets in multiple files while doing a long-term capture, optionally
rotating through a fixed number of files (a “ringbuffer”). See
Section 4.8, “Capture files and file modes”.
The capture engine still lacks the following features:
- Stop capturing (or perform some other action) depending on the captured data.