Hi everyone
Wireshark: 1.2.9
We are experiencing a network problem and I am trying to use Wireshark to provide more info, but am running into a few blocks as I’ve used it quite rarely before.
The situation is this: I am trying to carry out a Wireshark capture on a Windows 2003 SP2 server on 192.168.1.1. For some reason it is having trouble communicating with another machine on 192.168.1.2; the application on 192.168.1.1 is throwing errors because sometimes the connection to .2 is dropped. I don’t know whether this is a problem with .1, .2 or what.
We’ve checked out the switches/routers etc and no errors on there. So I figured I’d run a Wireshark capture on .1
Problem is, .1 is a busy server with loads of connections to various things, so the capture file builds quite quickly and after a while terminates saying that “Wireshark has run out of memory”.
Can someone out there who is knowledgable in all things Wireshark tell me:
-
When I’m running the capture, I guess all I am interested in is the connectivity to .2 - is there anyway to filter the capturing so that only communication between .1 and .2 is logged? If so - how exactly?
-
I’m worried about the c: drive filling up if I leave Wireshark running for a period of time. I see I can set an option to move the temporay file to the d: drive, but are there any other techniques to minimise disk utilisation when carrying out a capture over a long period of time?
-
I really need a capture over the course of a day - is wireshark the best product for me?
-
When I do eventually get a capture, what should I really be looking for in the “info” tab? Is there anyway to watch a particular conversation, do I follow “seq” numbers or something?
-
Is there any other way to minimise the amount of data that I am logging?
Any help much appreciated!