I'm trying to catch an intermitant problem we think may be a broadcast storm. My first task is finding the log file. Where does wireshark put it? My next task is to automatically delete before it gets to big and then start the log again. Is there anything premade for something like that? Network of 80 machines, random network lockup anywhere from 1-30 sec for all machines at the same time. I was planning to keep 10 minutes chunks of wireshark logs, and when a lock up occurs have some one in the lab grab the log and note the time so we can have a look see. Does that sound like a good plan? Are there scripts already for this? Is there anywhere I can share mine if I make one? Thank you, rd42 asked 22 Nov '10, 07:18 rd42 |
One Answer:
All machines lock up for 1-30 seconds? Sounds like a Spanning Tree / loop problem to me. The plan is good, but I guess "log file" is what is usually called a "trace file", which is a file containing captured network data. The idea is good to capture chunks, and to do that you should open the capture options dialog, second button on the left of the toolbar. Set capture to file, specify a good capture size (8-16MB) and let it write either in a large ring buffer or write continuously. Then wait for the problem and look at the according file. I bet you'll see tons of duplicate packets created by a layer 2 loop, which means you have to enable/redesign your spanning tree. answered 22 Nov '10, 07:25 Jasper ♦♦ |
You might also want to look at using the Wireshark dumpcap program with ring buffers.
Dumpcap just captures and saves; It doesn't do any analysis (which requires saving state as the capture progresses).
When you encounter a problem you can then stop dumpcap and then use Wireshark to look at the capture(s).
See: http://www.wireshark.org/docs/man-pages/dumpcap.html