This is a static archive of our old Q&A Site. Please post any new questions and answers at

New user: Network flow analysis help…


Have one site that is dropping packets because they are getting a lot of traffic. Have Fortinet products and know that most of the traffic is between a webserver and two mail servers at two other sites.

How can I filter my capture to show me specifically what traffic my webserver is receiving from the other two mail servers?

asked 10 Sep '12, 13:15

tpayne01's gravatar image

accept rate: 0%

Let's assume that your webserver is mail server1 is mail server2 is

And you have a packet capture that has this (and other) traffic.

Open up the trace file and in the "Filter" bar (located under the menus) type in ip.addr== and hit ENTER.

This will give you all the traffic to and from So the "ip.addr==x.x.x.x" is your friend.

Is this what you need? Or did you really mean you need to understand the volume of traffic to/from your webserver and mail servers?

(10 Sep '12, 13:57) hansangb

As it stands our location with the webserver is getting hammered with traffic. Packets are being dropped. So, trying to understand what all traffic is coming in that is causing this bottleneck, then wanting to break it down to show types of traffic coming in from the two mail servers.

(11 Sep '12, 04:32) tpayne01

Then the display filter will work after you capture the traffic. there are conversation specific stats that you can quickly pick out (Statistics, Conversations, then select IP or TCP tab)

(11 Sep '12, 15:27) hansangb

Thank you hansangb!

Question: I can filter my capture to show only traffic between webmail server and one of the other mail servers. Is there a good way that I can show management what specific types of traffic these two servers are sending to each other?

(12 Sep '12, 04:17) tpayne01

Did you try the Statistics - Protocol Hierarchy menu option? It may not be 100% accurate all the time, but it might help.

(12 Sep '12, 12:22) Jasper ♦♦

tpayne01, did you mean "HOW can I filter my capture.."?

In that case, start Wireshark, hit CTRL-K and select the proper interface and double click on it. You'll see the Capture Filter field. IN the filter bar, use "host or host" (no quotes.) This will capture all traffic to/from those two hosts. Check the "Capture in promiscuous mode" if you're not using the actual server to capture the traffic. Adjust the capture buffer as necessary.

Earlier versions of Wireshark, the capture filter was in the main screen (after hitting CTRL K). The above is for newer 1.8 releases.

(13 Sep '12, 08:10) hansangb
showing 5 of 6 show 1 more comments