This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Trying to capture traffic over local fiber metro e circuit?

0

Hello - we are trying to capture traffic that passes over a Metro E circuit that connects two local offices on seperate networks (office1 is 192.168.1.xx and office2 is 192.168.10.xx). The Metro E circuit connects to an interface/port on a SonicWall router at each of the two respective locations.

We would like to configure Wireshark to capture packets over a 24 hour period of time so we can identify what IP addresses are generating the large intermittent packet fluctuations which are travelling over this Metro E circuit and exceed the designated bandwidth of the circuit.

Wireshark is curring installed on a server at office1 (192.168.1.xx) and when I try to create a remote interface to connect to a device at office2 (192.168.10.xx)I get the error message of: "Can't get a list of interfaces: the other host terminated the connection".

Can someone please advise? Many thanks in advance.

asked 16 Mar '13, 09:44

Rainman13's gravatar image

Rainman13
1111
accept rate: 0%

2 Answers:

2

Stop using Wireshark for long term capture. It's been said many times already, Wireshark builds up state from all traffic seen, eventually running out of memory.

There is a way do capture long term, by going for the dumpcap capture engine directly. It can capture and save multiple capture files until you exhaust your storage. It can trow away old captures as well, so this could run for ever.

Btw: the type of analysis you're trying to do is more suited for tools like Pilot from these guys --->>

answered 16 Mar '13, 11:04

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

when I try to create a remote interface to connect to a device at office2 (192.168.10.xx)I get the error message of: "Can't get a list of interfaces: the other host terminated the connection".

It sounds as if there's a problem with the rpcap server on the other host. You might want to run two instances of Wireshark on the server, and have the first one capture on whatever interface the server would use to talk to 192.168.10.xx (the device at office2) and, once that's capturing, try to create the remote interface and see what happens with the rpcap traffic to cause that error.

answered 16 Mar '13, 10:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Jaap - thanks for the info and will look into, but keep your patronizing attitude to yourself. This is a help forum.

Guy Harris - thanks as well I will look into that.

(17 Mar '13, 08:53) Rainman13