wireshark-users November 2010 archive
Main Archive Page > Month Archives  > wireshark-users archives
wireshark-users: Re: [Wireshark-users] ?

Re: [Wireshark-users] ?

From: Hansang Bae <for_list_hbae_at_nospam>
Date: Mon Nov 08 2010 - 15:46:33 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>

On 11/8/2010 10:09 AM, David Shephard wrote:
>
> Hi all I want to capture LAN traffic from Core Switch to DMZ & filter
> by protocol, is this possible?
>

Yes, you can filter on anything you'd like. But somethings you need to
answer are
1) How do you plan on getting the traffic to the analyzer? Via
span/mirror session?
2) If so, make sure you pick one ingress/egress point. Don't span the
VLAN because you'll then capture the packets as it enters and exits the
VLAN.
3) Keep an eye on the monitor/span destination port (sho int, or sho
mac in Cisco'ese) to make sure that you're not overrunning the
monitor/span port.
4) You have the option of running VACLs to limit what you capture, but
there are some dependencies so stay away unless you have a clear idea
about the pro's and con's. There was a nice Sharkfest presentation this
year on using VACL's so check it out on the sharkfest 2010 site.

Once you've successfully created the span, you can also filter on
Wireshark itself. You can use "host 1.1.1.1" or you can use "port 123"
etc.

It's a pretty open ended question so I'm hesitating on giving a detailed
answer.

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe