If you are unsure of the traffic you want to capture, typically what I would
do is capture data from the two hosts with a filter like:
((ip.dst == 10.x.x.x) and (ip.src == 10.y.y.y)) or ((ip.dst == 10.y.y.y) and
(ip.src == 10.x.x.x))
Then you can select the conversation out of the capture by:
1. Selecting a captured packet
2. Right click and choose the "Conversation Filter"
3. Select the conversation type: Ethernet, IP, TCP or UDP
If you have more info then you can add it to the filter to capture only what
you need.
HTH
-Carl
On Thu, Aug 11, 2011 at 9:49 AM, Matt Sherman <matt.sherman2_at_gmail.com>wrote:
> Do any of you know if there is a way to configure wireshark so that it only
> records unique coversations? For instance, if there is continuous HTTP
> communication between a client IP and server IP, i would just like to
> record
> that once, not every single instance.
>
> The reason for this is that I just want to gather a record of all the
> protocols being used by a device. I'd like to start running the capture
> and
> come back a day or two later to see what's going on without worrying about
> the pcap file ballooning to a multi gigabit file.
>
> Thanks,
> Matt
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 11 2011 - 11:22:20 ART
This archive was generated by hypermail 2.2.0 : Thu Sep 01 2011 - 06:05:56 ART