Help with Wireshark capture filtering (newbie)


Hi everyone

Wireshark: 1.2.9

We are experiencing a network problem and I am trying to use Wireshark to provide more info, but am running into a few blocks as I’ve used it quite rarely before.

The situation is this: I am trying to carry out a Wireshark capture on a Windows 2003 SP2 server on For some reason it is having trouble communicating with another machine on; the application on is throwing errors because sometimes the connection to .2 is dropped. I don’t know whether this is a problem with .1, .2 or what.

We’ve checked out the switches/routers etc and no errors on there. So I figured I’d run a Wireshark capture on .1

Problem is, .1 is a busy server with loads of connections to various things, so the capture file builds quite quickly and after a while terminates saying that “Wireshark has run out of memory”.

Can someone out there who is knowledgable in all things Wireshark tell me:

  1. When I’m running the capture, I guess all I am interested in is the connectivity to .2 - is there anyway to filter the capturing so that only communication between .1 and .2 is logged? If so - how exactly?

  2. I’m worried about the c: drive filling up if I leave Wireshark running for a period of time. I see I can set an option to move the temporay file to the d: drive, but are there any other techniques to minimise disk utilisation when carrying out a capture over a long period of time?

  3. I really need a capture over the course of a day - is wireshark the best product for me?

  4. When I do eventually get a capture, what should I really be looking for in the “info” tab? Is there anyway to watch a particular conversation, do I follow “seq” numbers or something?

  5. Is there any other way to minimise the amount of data that I am logging?

Any help much appreciated!


Capture filters :
tcp port
host or host
tcp port and ( host or host )

To avoid “Wireshark has run out of memory”, try tshark.
This is wireshark wihtout gui.
It is at the same place that wireshark.exe.