Re: ?

[Hansang Bae <for_list_hbae () nyc rr com>]

On 11/8/2010 10:09 AM, David Shephard wrote:
> Hi all I want to capture LAN  traffic from Core Switch to DMZ & filter 
> by protocol, is this possible?

Yes, you can filter on anything you'd like.  But somethings you need to 
answer are
1) How do you plan on getting the traffic to the analyzer?  Via 
span/mirror session?
2) If so, make sure you pick one ingress/egress point.  Don't span the 
VLAN because you'll then capture the packets as it enters and exits the 
VLAN.
3)  Keep an eye on the monitor/span destination port (sho int, or sho 
mac in Cisco'ese) to make sure that you're not overrunning the 
monitor/span port.
4)  You have the option of running VACLs to limit what you capture, but 
there are some dependencies so stay away unless you have a clear idea 
about the pro's and con's.  There was a nice Sharkfest presentation this 
year on using VACL's so check it out on the sharkfest 2010 site.

Once you've successfully created the span, you can also filter on 
Wireshark itself.  You can use "host 1.1.1.1" or you can use "port 123" 
etc.

It's a pretty open ended question so I'm hesitating on giving a detailed 
answer.



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe