I'm running a capture on a firewall from one side and on a server at the other to monitor AV update traffic. The server has a capture filter (not display filter) applied to capture traffic only from the firewall IP. Each wireshark capture file size is 300-400MB however when I go to the wireshark conversations in the 400MB file the biggest bytes count is 2MB on the server from my firewall to the server. Is this a case of wireshark is actually capturing all the traffic on the server hence the large file size but only displaying what is specified in the capture filter or is the server getting 300-400MB of traffic from the firewall that's not showing up in conversations. Thanks. asked 11 Mar '15, 01:56  Costello |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
please post the following screenshots.
Apologies I can't post due to IP's being displayed. I have discovered an error in my findings anyway. Thank you for replying.