Can I use Wireshark to idenitify a bandwidth hog, i.e. a user/pc that is perhaps watching videos or on peer to peer file sharing networks and thus using high bandwidth? Thank you asked 06 Mar '12, 12:07  IT Tropolis |
One Answer:
Yes you can... ... by using "Statistics -> Endpoints". Click on the IP tab and then sort on the column you find most interesting. answered 06 Mar '12, 12:12  SYN-bit ♦♦ |
hello SYN-bit, after go to Statistics-Endpoints, the only IP tab I have is IPv4:332. Is that the one I should click on. To find the bandwidth hog, which column should I look into Bytes,Tx Packets, TX Bytes, RX Packets,Rx Bytes?
I would sort the rows first by Bytes A->B and then by Bytes B->A (by clicking on column name) and look for the maximum value of both (as assignment of A and B roles to endpoints of a given conversation depends on the order of occurrence of the addresses in the capture). But having no TCP and/or UDP tab is strange, haven't you disabled the dissectors?
let me try to disable the dissectors. Really appericate your help.
It may well be a chain of misunderstandings. I thought you complained that there are no other tabs than the IP one in the
Statistics -> Endpointswindow, so I've suggested you to check whether the dissectors of TCP and UDP are not disabled by chance, assuming that disabling them would cause the TCP and UDP tabs to go missing. But maybe you actually wanted IPv6 on top/instead of IPv4?I've checked now and found that disabling TCP and UDP dissectors doesn't hide their tabs, it only makes them empty. So do not disable the dissectors (or re-enable them if you already did).
Which version of Wireshark do you run? In 2.0.2, pressing the
Endpoint Typesbutton gives you a checklist of tabs to be shown, so you can verify that tickboxes next to layers/protocols you are interested in are checked.