Chapter 3. Capturing All the Right Packets

In order to analyze packets to troubleshoot connectivity, performance, or security issues, you have to successfully capture all of the right packets and then identify and filter out just the packets that pertain to the goal at hand.

In this chapter, we will cover the following topics:

• Picking the best capture point
• TAPs and switch port mirroring
• Wireshark's capture interfaces, filters, and options
• Verifying a good capture
• Isolating the conversation(s) of interest
• Using the Wireshark Conversations window
• Wireshark's display filters
• Filtering expression buttons
• Following TCP/UDP/SSL streams
• Marking and ignoring packets
• Saving filtered traffic

You'll recognize that many of these activities are the same ones that we accomplished in Chapter 1, Getting Acquainted with Wireshark, to perform a capture and filter just the packets involved in loading a web page. In this chapter, we'll expand and finish rounding out your skills in all these topics.