1
00:00:00,000 --> 00:00:07,880


2
00:00:07,880 --> 00:00:10,303
Ok, in our next module, 

3
00:00:10,310 --> 00:00:12,967
we will talk about multiple files.

4
00:00:12,987 --> 00:00:18,992
Now, saving data, we covered in the earlier module is

5
00:00:18,992 --> 00:00:25,275
the way that you can select with file format,
you want to save your capture as.

6
00:00:25,270 --> 00:00:28,971
However, there may be times where you need to 

7
00:00:28,971 --> 00:00:34,098
create very large capture files and that does not mean

8
00:00:34,098 --> 00:00:39,028
necessarily mean that the file itself 
needs to be a one large capture file.

9
00:00:39,030 --> 00:00:42,672
It just means that you need to collect

10
00:00:42,672 --> 00:00:46,731
or record or capture a large amount of data 

11
00:00:46,731 --> 00:00:49,944
and one of the easiest way to do that is to

12
00:00:49,944 --> 00:00:57,278
create a capture where it's going and dropping 
that information into multiple slower files

13
00:00:57,278 --> 00:01:02,660
so that you can, let's say, run a capture for 2 hours.

14
00:01:02,660 --> 00:01:08,171
And you only want to have an x amount of data
or x amount of files or

15
00:01:08,171 --> 00:01:11,776
stop after a certain amount of files or data.

16
00:01:11,776 --> 00:01:17,030
And the way that you can do that is 
by slicing up your capture files.

17
00:01:17,030 --> 00:01:23,680
So we talked about this on day 1 and 
in our earlier modules when we were setting up

18
00:01:23,680 --> 00:01:29,675
Wireshark and when we learned about the 
launchpad or the start page

19
00:01:29,675 --> 00:01:34,312
for when we first opened Wireshark, 
we learned that we can

20
00:01:34,312 --> 00:01:40,794
essentially slice up our information in
pre-capture files.

21
00:01:40,802 --> 00:01:49,572
So, let's open up Wireshark new
and let's take a look at capture options.

22
00:01:49,580 --> 00:01:55,400
So in here, what I can do is I can select 
the interface in which I want to capture on.

23
00:01:55,400 --> 00:02:00,370
And then I have, again the ability to set up 
the capture filter if I like.

24
00:02:00,370 --> 00:02:07,531
And or set up the, where I want to put the capture file.

25
00:02:07,531 --> 00:02:11,470
But there's some options under here 
that allows me to do exactly that.

26
00:02:11,470 --> 00:02:17,906
Slice up the capture into multiple files, 
so one of the things that I can do,

27
00:02:17,906 --> 00:02:25,455
is find where I want to place that.
Well, I will put it in captures, multiple files.

28
00:02:25,454 --> 00:02:30,452
And as you can see here, I've already ran
a capture and diced up one into multiple files.

29
00:02:30,452 --> 00:02:37,228
So I create a new folder, of course, run a test

30
00:02:37,228 --> 00:02:48,237
and from here, I can then change 
or select options so that I can 

31
00:02:48,237 --> 00:02:53,697
either stop recording after or stop capturing 
after a certain amount of time.

32
00:02:53,697 --> 00:03:01,157
I can use a ring buffer which I will explain 
momentarily, or I can say, ever

33
00:03:01,159 --> 00:03:06,501
create a new file after a certain size of a file 
or certain amount of minutes.

34
00:03:06,501 --> 00:03:11,801
So if I want to run a capture, for example,
where I want to cut it up into some files

35
00:03:11,804 --> 00:03:19,480
and I want each file to be one gig,

36
00:03:19,490 --> 00:03:24,747
I can then just select that and say, 
and then stop after one file.

37
00:03:24,784 --> 00:03:28,129
And then it's going to capture a 1gig file 
and then it's going to stop.

38
00:03:28,129 --> 00:03:33,731
Or I can say, I want you to create a file 

39
00:03:33,731 --> 00:03:41,223
every 10 minutes and I want you to stop after 5 files

40
00:03:41,220 --> 00:03:44,143
so it's going to give me 50 minutes of information.

41
00:03:44,143 --> 00:03:48,709
So as you can see here,
there's a way that you can start your capture 

42
00:03:48,709 --> 00:03:53,162
and customize it in a way before it kicks off
to have a specific action

43
00:03:53,162 --> 00:03:57,960
and dump those files directly into 
the directory which I just created.

44
00:03:57,960 --> 00:04:02,185
So that being said, 
one of the most important things here

45
00:04:02,185 --> 00:04:06,275
is the ring buffer which can be confusing to some.

46
00:04:06,275 --> 00:04:09,891
So if you want to constantly override data,

47
00:04:09,891 --> 00:04:13,050
and you only want a couple of files at all times,

48
00:04:13,050 --> 00:04:17,832
you can set up the ring buffer 
and it will continuously record.

49
00:04:17,831 --> 00:04:22,262
However, it will record the data 
that was already captured.

50
00:04:22,262 --> 00:04:28,556
So just remember, circular or ring
continuously recording over.

51
00:04:28,556 --> 00:04:30,843
That's a good way to remember that.

52
00:04:30,843 --> 00:04:35,756
But that being said, 
you slice up of your capture files,

53
00:04:35,766 --> 00:04:38,717
you do this before you run a capture.

54
00:04:38,717 --> 00:04:42,470
You can do so through the launchpad.
You go through capture options.

55
00:04:42,470 --> 00:04:45,190
You can select multiple files.

56
00:04:45,190 --> 00:04:50,398
You need to select the destination and 
you need to select the file name.

57
00:04:50,398 --> 00:04:55,177
It will append afterwards so you will see multiple files.

58
00:04:55,177 --> 00:05:01,650
And then you can go ahead and slice up 
the files on that, those criteria options 

59
00:05:01,650 --> 00:05:05,045
that you selected prior to kicking off your capture.

60
00:05:05,045 --> 00:05:09,959
And again, we just showed it live but
specifically, here are those options.

61
00:05:09,959 --> 00:05:14,086
Again you can select to do it after 
a certain amount of time.

62
00:05:14,086 --> 00:05:18,253
You can select it to do it after a certain 
amount of files at a certain size.

63
00:05:18,253 --> 00:05:26,006
And you can stop capture or continuously 
record over data in a certain amount of files.

64
00:05:26,006 --> 00:05:32,336
And then your final output will be multiple files.

65
00:05:32,336 --> 00:05:38,107
As you can see here, I wanted them all to be
a certain size so it chunked them up.

66
00:05:38,107 --> 00:05:42,216
It specifically gave me the time and date when it did so.

67
00:05:42,216 --> 00:05:45,484
And I also saved the master capture there as well.

68
00:05:45,537 --> 00:05:51,510
So as you can see, I am able to now 
distribute these files,

69
00:05:51,510 --> 00:05:56,720
if they were very large. I can then send them
 to somebody to further help me analyze them.

70
00:05:56,720 --> 00:06:03,128
And I don't have to send them a 1gigabyte file,
or one large, very large file.

71
00:06:03,128 --> 00:06:12,273