Have one site that is dropping packets because they are getting a lot of traffic. Have Fortinet products and know that most of the traffic is between a webserver and two mail servers at two other sites. How can I filter my capture to show me specifically what traffic my webserver is receiving from the other two mail servers? asked 10 Sep '12, 13:15  tpayne01 showing 5 of 6 show 1 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Let's assume that your webserver is 10.10.10.10 mail server1 is 1.1.1.1 mail server2 is 2.2.2.2
And you have a packet capture that has this (and other) traffic.
Open up the trace file and in the "Filter" bar (located under the menus) type in ip.addr==10.10.10.10 and hit ENTER.
This will give you all the traffic to and from 10.10.10.10. So the "ip.addr==x.x.x.x" is your friend.
Is this what you need? Or did you really mean you need to understand the volume of traffic to/from your webserver and mail servers?
As it stands our location with the webserver is getting hammered with traffic. Packets are being dropped. So, trying to understand what all traffic is coming in that is causing this bottleneck, then wanting to break it down to show types of traffic coming in from the two mail servers.
Then the display filter will work after you capture the traffic. there are conversation specific stats that you can quickly pick out (Statistics, Conversations, then select IP or TCP tab)
Thank you hansangb!
Question: I can filter my capture to show only traffic between webmail server and one of the other mail servers. Is there a good way that I can show management what specific types of traffic these two servers are sending to each other?
Did you try the Statistics - Protocol Hierarchy menu option? It may not be 100% accurate all the time, but it might help.
tpayne01, did you mean "HOW can I filter my capture.."?
In that case, start Wireshark, hit CTRL-K and select the proper interface and double click on it. You'll see the Capture Filter field. IN the filter bar, use "host 1.1.1.1 or host 2.2.2.2" (no quotes.) This will capture all traffic to/from those two hosts. Check the "Capture in promiscuous mode" if you're not using the actual server to capture the traffic. Adjust the capture buffer as necessary.
Earlier versions of Wireshark, the capture filter was in the main screen (after hitting CTRL K). The above is for newer 1.8 releases.