Ping packets should use an ICMP type of 8 (echo) or 0 (echo reply), so you could use a capture filter of:
icmp
and a display filter of:
icmp.type == 8 || icmp.type == 0
For HTTP, you can use a capture filter of:
tcp port 80
or a display filter of:
tcp.port == 80
or:
http
Note that a filter of http
is not equivalent to the other two, which will include handshake and termination packets.
If you want to measure the number of connections rather than the amount of data, you can limit the capture or display filters to one side of the communication. For example, to capture only packets sent to port 80, use:
dst tcp port 80
Couple that with an http
display filter, or use:
tcp.dstport == 80 && http
For more on capture filters, read "Filtering while capturing" from the Wireshark user guide, the capture filters page on the Wireshark wiki, or pcap-filter (7) man page. For display filters, try the display filters page on the Wireshark wiki. The "Filter Expression" dialog box can help you build display filters.
Using Wireshark 1.2 I would just recommend making .BAT file scripts that do your job for you. It's a good way of saving your settings:
:: Script to save a wireshark trace
:: tshark -D to get interface id
@echo off
C:
cd C:\Temp\NetTracing
set PATH=%PATH%;C:\Program Files\Wireshark
echo Tracing host 127.1 or 172.1.1.1 or 10.0.0.1
tshark.exe -i 4 -a duration:900 -S -f "tcp and host 127.1 or 172.1.1.1 or 10.0.0.1" -w trace.cap
:: rename the trace with todays timestamp
set tdtd=none
set ttrn=none
set arg="%1"
for /F "tokens=2-4 delims=/ " %%i in ('date /t') do set tdtd=%%i%%j%%k
for /F "tokens=5-8 delims=:. " %%i in ('echo.^| time ^| find "current" ') do set ttrn=%%i%%j%%k%%l
set tufn="trace_%tdtd%%ttrn%.cap"
:: now archive the file
copy trace.cap %tufn%
del trace.cap
echo %tufn% > trace.log
echo Trace file %tufn% saved at %CD%
ping localhost -n 30 >nul
Best Answer
For Windows environments (like mine where it is a big deal to install wireshark on a server), ever since Win7/2008R2 there has been built in packet capture available.
This will capture everything until you tell it to stop:
netsh trace start capture=yes persistent=yes tracefile=c:\temp\results.etl
Monitor the trace:
netsh trace show status
Stop the trace:
netsh trace stop
It does support all the usual: Filtering, circular logging and even can persist across reboots. Another plus is the command help: try
netsh trace ?
ornetsh trace show ?
You do need to install Microsoft Message Analyzer to view/export the results.It seems like for your situation you'd be set with the below command:
netsh trace start capture=yes persistent=yes tracefile=c:\temp\results.etl maxSize=500
That will give you circular logging with 500MB files, and persist across reboots.