This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Have one site that is dropping packets because they are getting a lot of traffic. Have Fortinet products and know that most of the traffic is between a webserver and two mail servers at two other sites.

How can I filter my capture to show me specifically what traffic my webserver is receiving from the other two mail servers?

asked 10 Sep '12, 13:15

tpayne01's gravatar image

tpayne01
1111
accept rate: 0%

Let's assume that your webserver is 10.10.10.10 mail server1 is 1.1.1.1 mail server2 is 2.2.2.2

And you have a packet capture that has this (and other) traffic.

Open up the trace file and in the "Filter" bar (located under the menus) type in ip.addr==10.10.10.10 and hit ENTER.

This will give you all the traffic to and from 10.10.10.10. So the "ip.addr==x.x.x.x" is your friend.

Is this what you need? Or did you really mean you need to understand the volume of traffic to/from your webserver and mail servers?

(10 Sep '12, 13:57) hansangb

As it stands our location with the webserver is getting hammered with traffic. Packets are being dropped. So, trying to understand what all traffic is coming in that is causing this bottleneck, then wanting to break it down to show types of traffic coming in from the two mail servers.

(11 Sep '12, 04:32) tpayne01

Then the display filter will work after you capture the traffic. there are conversation specific stats that you can quickly pick out (Statistics, Conversations, then select IP or TCP tab)

(11 Sep '12, 15:27) hansangb

Thank you hansangb!

Question: I can filter my capture to show only traffic between webmail server and one of the other mail servers. Is there a good way that I can show management what specific types of traffic these two servers are sending to each other?

(12 Sep '12, 04:17) tpayne01

Did you try the Statistics - Protocol Hierarchy menu option? It may not be 100% accurate all the time, but it might help.

(12 Sep '12, 12:22) Jasper ♦♦

tpayne01, did you mean "HOW can I filter my capture.."?

In that case, start Wireshark, hit CTRL-K and select the proper interface and double click on it. You'll see the Capture Filter field. IN the filter bar, use "host 1.1.1.1 or host 2.2.2.2" (no quotes.) This will capture all traffic to/from those two hosts. Check the "Capture in promiscuous mode" if you're not using the actual server to capture the traffic. Adjust the capture buffer as necessary.

Earlier versions of Wireshark, the capture filter was in the main screen (after hitting CTRL K). The above is for newer 1.8 releases.

(13 Sep '12, 08:10) hansangb
showing 5 of 6 show 1 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×146
×100
×21

question asked: 10 Sep '12, 13:15

question was seen: 2,586 times

last updated: 13 Sep '12, 08:10

p​o​w​e​r​e​d by O​S​Q​A