chuckp2010
asked on
Wireshark filtering question
Hi
I have a problem with a Windows 2003 server so wanted to run a Wireshark capture over night to capture some data. It's only traffic on one port to one IP address that I want to capture.
My main concern is that Wireshark will just grow and grow and when I leave it on overnight it will either cause the server to crash or something.
Does anyone know how I can restrict to the capture so that it only logs details for that port/ IP (I assume this will save space) and also I can tell it to cancel itself if the file gets too large/ it's taking up a lot of system resources?
Also, anything else I should be aware of?
I have a problem with a Windows 2003 server so wanted to run a Wireshark capture over night to capture some data. It's only traffic on one port to one IP address that I want to capture.
My main concern is that Wireshark will just grow and grow and when I leave it on overnight it will either cause the server to crash or something.
Does anyone know how I can restrict to the capture so that it only logs details for that port/ IP (I assume this will save space) and also I can tell it to cancel itself if the file gets too large/ it's taking up a lot of system resources?
Also, anything else I should be aware of?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you want to monitor who's doing what, you can also capture only the packets with syn, fin and rst bits set. this way you will see everything except the data. (of course only for tcp traffic).