Options
Wireshark Experts - Need advice on a packet capture setup
Have a network slowness issue I am trying to pinpoint, for a remote site communicating back to a main location through an IPSec VPN tunnel for internal apps (outlook and AD mainly), and the internet just takes the ISP gateway out to the internet.
The internet speeds are always find, the computers just seem to be dragging ass when starting up (the authentication and login script of AD), and outlook is intermittently extremely slow as well - Both to the point I'd almost call it more a disconnect issue than a slowness.
The problem is that it's extremely random timing when it will happen and when it won't, so I was wondering if there is a best practice for logging a packet capture for an extended period of time on a user pc? I am assuming the best way to narrow down traffic is be putting filters on the capture for traffic destined for the exchange and file / AD server.
Anyone got a good link or idea of the best way to setup an ongoing packet capture on someones pc, and are any extra programs necessary to store the logs?
Thanks!
The internet speeds are always find, the computers just seem to be dragging ass when starting up (the authentication and login script of AD), and outlook is intermittently extremely slow as well - Both to the point I'd almost call it more a disconnect issue than a slowness.
The problem is that it's extremely random timing when it will happen and when it won't, so I was wondering if there is a best practice for logging a packet capture for an extended period of time on a user pc? I am assuming the best way to narrow down traffic is be putting filters on the capture for traffic destined for the exchange and file / AD server.
Anyone got a good link or idea of the best way to setup an ongoing packet capture on someones pc, and are any extra programs necessary to store the logs?
Thanks!
Comments
-
Options
devils_haircut
Member Posts: 284 ■■■□□□□□□□
If you look under "Capture > Options" you can specify that Wireshark break the capture up into multiples files based on time or file size. You can also tell it where to drop the files, like a UNC path. I'm not sure if that helps you or not.
EDIT: Just remembered, you can also use a "Ring Buffer" style, which will tell Wireshark to only store a certain number of files that you specify (again, based on time or size). It will overwrite the oldest file if it exceeds that mark. So if you set the Ring Buffer to 3, when it creates 3 files, the fourth will start overwriting the 1st one. This means you can basically tell Wireshark to never store more than X MB of .pcap files during this capture. -
Options
ande0255
Banned Posts: 1,178
Thanks much for the reply, that is way helpful, +1 TE Karma for you sir