Save Packet Data to Multiple Packet Files

Product version: Since Capsa 7.4

Intended audience:

• Capsa Enterprise users
• Capsa Professional users
• Capsa WiFi users
• Capsa Free users
• Except all Demo users

When we start a capture in Capsa the packet data will be temporarily saved in RAM buffer. The packet data in the buffer will be lost when we close the program. If we just want to save the packets into packet files (aka trace files) and do the analysis later, we can use packet output function on Capsa to record packet data to a single or multiple files, and use Capsa to replay the files when we need to analyze the network traffic.

We can use Capsa to save captured packet into a single packet file. If it’ll be left running capturing data for a long period of time, Capsa is able to automatically save packets in multiple files, such as to save packets of every hour (or total packet size of every 100 MB) in a separate file. Saving packet data into multiple small-sized files makes post-analysis much easier than a large over-sized packet file. Let’s see how to enable the function to save all captured packet data to a single and multiple packet files.

1. Click Packet Output icon on the Ribbon if a capture is running, or click Set Data Storage link on the start page (middle-right side of the Start Page).
   
   
2. Check Save packet to disk option on the Data Storage Options window.
   
3. The Limit each packet to n bytes option will only save the first n (64 by default) bytes of data of each packet, which means to the extent of the TCP headers will be saved, but the content will be eliminated. This option is used to reduce the file size, check this option if you don’t need go down to check the bits of the packet body.
4. Select Single file if you want to save all packet data into one packet file. This is the best choice if you just want to capture less than 500 Mbytes of packets.
5. If you want to capture packet data for a long period of time, or capture in a heavy-loaded network, Multiple files will be better than the Single file. This option enables Capsa to not only save packet data to your hard disk, but also fill the packets in different files as the condition settings. For example, you can change the settings to save packet data of each hour to a packet file. And then you need to view the packets between 9:00 – 10:00, you just need to load the file which contains packet data between that time period. You can identify the files by the time stamp in their file names. Beside time conditions, file size conditions give you the choice to split files by a file size.
6. Keep all files & Keep the latest n files. In case the packet files fill up your hard disk, you can set to only keep a certain number of packet files. For instance, you only want Capsa to keep the latest 10 packet files. When the 10th file is full and Capsa needs to create a new one, Capsa knows it only has to keep the latest ten of them so Capsa will delete the 1st (the oldest) packet file and then create a new one.