This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trace only relevant traffic

0

Hi,

I am absolutely new to Wireshark but I am asked to trace the complete traffic between to machines (IP addresses are known, but nothing else). How can I do this?

thx a lot

asked 10 Jul '12, 16:30

palustris's gravatar image

palustris
0111
accept rate: 0%

edited 10 Jul '12, 19:53

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118


One Answer:

1

First you have to position Wireshark where it can capture the traffic between the two machines. You can install Wireshark on one of the two machines, or you can connect your Wireshark computer to a switch that the traffic passes through and use port mirroring.

To limit the captured traffic to only the IP traffic between the two machines, enter this capture filter: "host ip-address-1 and host ip-address-2" For example, "host 192.168.1.1 and host 192.168.1.25"

Or you can capture all the traffic and then use this display filter to show only the traffic between the two machines: "ip.addr==192.168.1.1 && ip.addr==192.168.1.25"

answered 10 Jul '12, 19:53

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

thank you for your answer. I have a long time capture of the complete traffic. When using the display filter, is it possible to save a new file from it that only content the filtered traffic?

(11 Jul '12, 03:55) palustris

Yes, you can save the filtered packets by selecting:

  • File -> Save As... (Wireshark version < 1.8.0)
  • File -> Export Specified Packets... (Wireshark version 1.8.0 and higher)
(11 Jul '12, 04:54) SYN-bit ♦♦