Executing packet capture in Wireshark, it'll be often incoming large amount of data and PC slows down.That should be it.Because tha packet captured is storaged in PC memory.
When troubleshooting, if the time to reproduce is various, Tshark is recommended.Since you will be going to write as a file on disk rather than on memory, you consume little memory resouce.
So, how to use the Tshark
First, check the ID of the interface
1. \Device\NPF_{ECD2CEFE-5C05-4AB5-8180-23900F2A01E7} ABCDEFG
Leftmost number is the interface ID.If it is multiple display, to confirm if you are sure that you want to capture any interface, learn the interface ID.
And hit the following command
-w is specified file name to be output.Execution directory (in this case will generate a file called nwwatch.pcap to c :).Or if you write the full path will be saved in its place.
-b filesize: This is let alone, it is the file size specified.Upon reaching 10000KB = 10MB create a new file.
filter
I do not use in the previous example, if you use a filter, you can capture the communication only aimed.
For example if you want to see only the packet about 192.168.1.1 & tcp:80 (192.168.1.1 is the source IP or destination IP, and tcp:80 is the source port or destination port)
As another example, a range of destination 172.16.0.0/16, and excludes DNS and http Example
If you want to see a range of up to 16,000 to 16,100 of TCP
IT/インフラエンジニアの地位とスキル向上のために
あなたが成長の日々を歩めますように。
コメント