Wireshark-users: Re: [Wireshark-users] ?

From: Hansang Bae <for_list_hbae@xxxxxxxxxx>
Date: Mon, 08 Nov 2010 10:46:33 -0500
On 11/8/2010 10:09 AM, David Shephard wrote:

Hi all I want to capture LAN  traffic from Core Switch to DMZ & filter by protocol, is this possible?


Yes, you can filter on anything you'd like.  But somethings you need to answer are
1) How do you plan on getting the traffic to the analyzer?  Via span/mirror session?
2) If so, make sure you pick one ingress/egress point.  Don't span the VLAN because you'll then capture the packets as it enters and exits the VLAN.
3)  Keep an eye on the monitor/span destination port (sho int, or sho mac in Cisco'ese) to make sure that you're not overrunning the monitor/span port.
4)  You have the option of running VACLs to limit what you capture, but there are some dependencies so stay away unless you have a clear idea about the pro's and con's.  There was a nice Sharkfest presentation this year on using VACL's so check it out on the sharkfest 2010 site.

Once you've successfully created the span, you can also filter on Wireshark itself.  You can use "host 1.1.1.1" or you can use "port 123" etc. 

It's a pretty open ended question so I'm hesitating on giving a detailed answer.