For a long-term, forensic packet capture, the primary objective is to record all raw packet data to a storage medium with the highest possible fidelity, meaning without dropping any packets. Real-time packet decoding is a computationally intensive process that interprets and displays packet contents for immediate analysis. This function consumes significant CPU and memory resources, which can overwhelm the capture station's ability to process and write incoming packets to disk, leading to packet loss. Therefore, real-time decoding is typically disabled during high-volume forensic captures; the analysis and decoding are performed offline after the capture session is complete.

B. Analyzer location: The physical and logical placement of the analyzer is critical for capturing the intended traffic, whether it's ensuring proximity and correct channel selection for wireless traffic or using a SPAN port for wired traffic.

C. Total capture storage space: Long-term captures can generate terabytes of data. Calculating and allocating sufficient disk space is a fundamental requirement to ensure the capture does not terminate prematurely due to a full disk.

D. Individual trace file size: Using a single, massive capture file is impractical and risky. Capture software is configured to segment the capture into smaller, manageable files to prevent corruption, ease transfers, and work around filesystem or application file size limits.

1. CWNP, LLC. (2021). CWAP-404 Certified Wireless Analysis Professional Study Guide.

Chapter 2, "The Protocol Analyzer," discusses the components of a protocol analyzer, distinguishing between the capture driver/engine and the decoding/analysis engine. It emphasizes that for high-performance captures, minimizing the overhead of the analysis engine (which performs real-time decodes) is crucial to prevent packet drops. The guide recommends using capture-only tools like dumpcap for this purpose.

Chapter 2 also covers "Capture Methodology," which explicitly details the importance of storage planning (total space and individual file sizes via ring buffers) and proper analyzer placement as fundamental considerations before starting a capture.

2. Pilli, E. S., Joshi, R. C., & Niyogi, R. (2010). A Framework for Network Forensics. International Journal of Computer Applications, 1(11), 1-6.

This academic paper outlines the phases of network forensics, starting with "Collection." In this phase, the "main goal is to collect the network traffic data passively and store it with minimum loss" (Section 3.1, Collection). The subsequent "Analysis" phase is where decoding and interpretation occur. This separation of concerns supports the principle that real-time analysis (decoding) is not the priority during the collection phase of a forensic capture.

DOI: 10.5120/329-483

3. Wireshark Development Team. (n.d.). Wireshark User's Guide. Wireshark.org.

Section 4.7, "Capturing Packets," and the documentation for the dumpcap utility explain that dumpcap is the command-line tool that performs the raw packet capture for Wireshark. The guide notes, "For high-traffic and/or long-term captures, it is recommended to use dumpcap directly... as it has a much lower memory and CPU footprint than the Wireshark GUI," which performs the real-time decoding. This official vendor documentation directly supports disabling real-time decodes for performance-critical captures.