Hi, I am not very familiar with Wireshark so I apologize if this is too basic of a question. I have searched the forums for hints on how to accomplish what I am about to ask but was unsuccessful in finding any clues. I want to verify the IP's seen by Wireshark. Basically I want to turn wireshark on for a while and have it gather a listing of all the IP's seen. No need for payload data at all. Currently I don't dare leave wireshark on for too long due to the amount of data it will consume. Is there a way to configure Wireshark to capture only this information so that I could leave it on for a while longer? As I said I just want to verify that the ip information corresponds to what we expect to see on a particular monitoring port. This seems like a very basic utilization of Wireshark and maybe someone could suggest a tool better suited to this task on a windows 7 or XP machine. Thanks for any hints on how to accomplish this. Sammi asked 19 Dec '11, 15:30 SamHnery |
One Answer:
If you don't care about anything but the IP addresses, then to help cut down on the amount of data Wireshark captures, you can try setting the snaplen to only capture what you need. For example, assuming you are capturing on an Ethernet interface and assuming no vlan tagging, tunneling, etc., you might try a snaplen of 34 to limit the bytes you capture to only the Ethernet and IP headers. You may also want to try experimenting with the command-line tools such as dumpcap and/or tshark along with some other shell commands such as sort, uniq, etc to accomplish what you need. answered 19 Dec '11, 16:19 cmaynard ♦♦ |