Wireshark · Ethereal-users: RE: [Ethereal-users] Filters

Ethereal-users: RE: [Ethereal-users] Filters

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Visser, Martin (SNO)" <Martin.Visser@xxxxxxxxxx>

Date: Fri, 22 Jun 2001 14:17:25 +0800

1. Firstly I would probably make use of the ip accounting in the Cisco. You need to config on the serial interface and add " ip accounting output-packets
". After a minute then do "show ip accounting". You'll get something like :-

   Source           Destination              Packets               Bytes
10.138.2.2       10.128.9.2                  865846            76277502
10.138.2.2       10.136.5.2                  907612            78689819
10.138.2.2       10.128.9.4                 1904894           126219478
10.138.2.2       10.132.2.2                  439578            38682864
10.138.2.2       10.176.71.3                  10629              694619
10.138.2.2       10.176.71.2                 859281            75611829
10.138.2.2       10.128.2.150                   691              120774
10.138.3.2       10.128.2.150                  3423              206338
10.138.2.2       127.0.0.1                      906               26274

Accounting data age is 3d03h

2. If you are on the ethernet going into the router you can't actually know if traffic is going to the Internet. However you can certainly make a good guess.

As a capture filter you can use the MAC address of the router e.g. "ether dst 01:02:34:56:78:90". This will only capture traffic to the router. If the router also does local routing you may also need to added display filtering to remove local destination addresses. Once you have isolated the traffic type though you can probably just analyse a small sample of data to determine the culprits

Martin Visser
Network Consultant - Compaq Global Services

Compaq Computer Australia
410 Concord Road
Rhodes, Sydney NSW 2138
Australia

Phone: +61-2-9022-5630
Mobile: +61-411-254-513
Fax:+61-2-9022-7001
Email:martin.visser@xxxxxxxxxx

-----Original Message-----
From: Serge Dergham [mailto:serge@xxxxxxxxx]
Sent: Friday, 22 June 2001 10:23 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: [Ethereal-users] Filters

Hi all,

I'm new to this stuff (but can learn fast ;-), need some help in my work.

We have noticed from time to time very heavy abnormal trafic going out of our main router/gateway (cisco 2500) toward the internet, and can last several hours each time, nearly bringing down our internet access.

Next time this happens I would like to be able to find the source/nature of this unusual trafic.

What are the capture filters that I can/should use to isolate/capture/see only the trafic going out of my router/gateway serial port ? or going thru the gateway to the outside world ? (I have several IP classes on my internal network).

or how would you go to solve the problem above ?

(running Ethereal on W2K)

TIA

Serge Dergham

Follow-Ups:
- Re: [Ethereal-users] Filters
  - From: Serge Dergham

Prev by Date: Re: [Ethereal-users] Bug in 802.11 dissector
Next by Date: [Ethereal-users] (no subject)
Previous by thread: [Ethereal-users] Filters
Next by thread: Re: [Ethereal-users] Filters
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$