Wireshark filtering question

Hi

I have a problem with a Windows 2003 server so wanted to run a Wireshark capture over night to capture some data. It's only traffic on one port to one IP address that I want to capture.

My main concern is that Wireshark will just grow and grow and when I leave it on overnight it will either cause the server to crash or something.

Does anyone know how I can restrict to the capture so that it only logs details for that port/ IP (I assume this will save space) and also I can tell it to cancel itself if the file gets too large/ it's taking up a lot of system resources?

Also, anything else I should be aware of?
chuckp2010Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

imanassypovCommented:
There are a few things you should do.

1. (OPTIONAL, this will help offload dump on the tap port) On the SPAN port configuration on the switch, set up your source as the physical port where the PC is connected (if the PC is connected to the same switch where the SPAN is configured). If the PC is somewhere down the stream on a trunk, then setup only that vlan of the PC as the source.
2. In wireshark, when you select which interface to listen to, go in the options  options when selecting interface Under the options, configure the 'Capture Filter' as in my sample image below  wireshark single host Under 'Capture File' select the location of the file, I usually store it on Desktop. Tick off 'multiple files', next file 'Every x mb', mine is set to 512mb, and 'Ring buffer' with 8 files. What that means is that wireshark will continuously capture into 8 sequential files, each of max 512mb. As soong as 8th file are exhausted, wireshark will start writing into 1st file.

This way you can run captures indefinitely.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
If it is a single port you can and this to the end of the capture filter that imanassypov shows in their screen shots:

   and tcp port ##

Where ## is the tcp port you want to limit the capture to.
trottCommented:
If you want to monitor who's doing what, you can also capture only the packets with syn, fin and rst bits set. this way you will see everything except the data. (of course only for tcp traffic).
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.