REW

How Do I Collect Wireshark Logs?

Published Aug 29, 2025 4 min read
On this page

Collecting Wireshark logs is a multi-step process that requires careful configuration to ensure you capture the specific network traffic you need.

The following guide provides a detailed walkthrough, from installation and setup to filtering and saving your capture files for analysis.

Step 1: Install Wireshark

First, you must download and install the Wireshark application on the computer you will use for the capture.

  1. Download: Go to the official Wireshark website at www.wireshark.org and download the installer for your operating system (Windows, macOS, or Linux).
  2. Install: Run the installer and follow the on-screen instructions. For Windows users, the installer includes Npcap, the recommended packet capture driver. Make sure to select all the default components for installation. You may need to reboot your system after installation.

Step 2: Prepare for your capture

Before you begin, you should minimize unnecessary network activity to reduce noise in your capture.

  1. Close applications: Close any applications that generate a lot of network traffic but are not relevant to your troubleshooting, such as streaming services, cloud backup tools, or instant messengers.
  2. Identify the network interface: On the Wireshark home screen, you will see a list of network interfaces, such as Wi-Fi and Ethernet. Identify the one your computer is actively using. This is typically indicated by a small, live-updating graph next to the interface name.

Step 3: Start the capture

You have two main methods for starting a capture, depending on whether you want to filter your traffic before or after the fact.

Method 1: Start a wide-open capture

This method is the simplest and will capture all traffic on the selected interface.

  1. Double-click the interface: On the Wireshark home screen, simply double-click the network interface you identified in the previous step. The capture will begin immediately, and you will see packets populating the main window.
  2. Reproduce the issue: Perform the network action you need to troubleshoot, such as visiting a website or running a program that is experiencing connectivity issues.
  3. Stop the capture: Click the red square "Stop" button in the toolbar when you are finished.

Method 2: Use a capture filter

This method is more advanced but highly recommended for busy networks, as it reduces the size of your capture file by filtering out irrelevant traffic from the start. Capture filters use Berkeley Packet Filter (BPF) syntax.

  1. Click "Capture Options": Instead of double-clicking the interface, click the gear icon to open the "Capture Options" dialog.
  2. Select the interface: Ensure your desired network interface is selected.
  3. Enter a capture filter: Type your filter expression into the "Capture filter for selected interfaces" field. The field will turn green if the syntax is valid or red if there is an error. Common BPF filters include:
    • host 192.168.1.1: Captures traffic to and from a specific IP address.
    • port 80: Captures traffic for a specific port.
    • tcp port 443: Captures TCP traffic for a specific port (like HTTPS).
    • icmp: Captures only ICMP (e.g., ping) traffic.
  4. Click "Start": Begin the capture with your filter applied.

Step 4: Analyze and save the log

After stopping the capture, you must save the data to a file.

  1. Apply a display filter (optional): If you performed a wide-open capture, you can use display filters to narrow down your view of the captured packets. Unlike capture filters, display filters only affect what is shown in the Wireshark window, not what is saved to the file.
    • Filter bar: Type your display filter into the bar above the packet list. The filter ip.addr == 192.168.1.1 will show traffic related to that IP, while tcp.port == 80 will show HTTP traffic.
    • Right-click: You can also right-click a packet and choose "Apply as Filter" to create a filter based on that packet's characteristics.
  2. Save the capture file:
    • Go to File > Save As.
    • Choose a location and a descriptive filename.
    • Ensure the file type is set to .pcapng. This is the default and recommended format, as it can store more metadata and handle multiple interface captures better than the older .pcap format.
  3. Export specific packets (optional): If you only need a portion of the capture, you can select specific packets in the main window, then go to File > Export Specified Packets... to save just those to a new file.

For long-duration or automated captures

If you need to run a capture for an extended period, you should configure it to automatically save files to prevent them from becoming too large and crashing your system.

  1. Open Capture Options: Go to Capture > Options....
  2. Go to the "Output" tab:
    • Check the box for "Create a new file automatically after...".
    • Set a size or time limit for each file (e.g., 50 megabytes or 30 minutes).
    • Choose a directory for the output files and a filename template.
  3. Go to the "Stop Condition" tab:
    • You can set a condition for the entire capture session to stop, such as a maximum total file size or duration.
Enjoyed this article? Share it with a friend.