The Display Options are generally set to Update list of packets in real-time and Automatically scroll during live capture, as shown in the following screenshot:

The Name Resolution choices include the following:

• Resolve MAC Addresses
• Resolve network names
• Resolve transport names

It's okay to resolve MAC addresses and transport names, as these are changed into human-readable format using static text files found in the local Wireshark folder. The files include the following:

• manuf.txt is a list of Ethernet vendor codes and well-known MAC addresses.
• services.txt holds a local copy of the IANA port numbers file.

However, if you select Resolve network names, this will contact the DNS server multiple times while resolving the IP addresses and will most likely impact system performance and cause additional traffic on the network.

The last selection on the Options tab is Stop capture automatically after… whatever option you select. There are four choices:

• Packets
• Files
• Size of file
• After a specified time period

This last option can be used when baselining and you can specify to stop capturing after 1,000 packets and then start your capture; Wireshark will capture 1,000 packets and then automatically stop the capture.

After you understand the network architecture and the topology and have selected your capture options, you're ready to tap into the network. This next section will review the different types of packets you will see, along with how to look at the conversations and endpoints that are gathered while capturing traffic.