mike dodson <mikejd208@...> writes:
> I would like to monitor for a few days anything going out on any port other
than port 80 or port 443. is there a simple display filter that I can use to
see this information. I am new and still learning some of the simple stuff.
The reason for doing this is so that I can right a firewall rule to block all
ports but what is needed.
> thank you for all the help.
I have to question your desire to use a display filter in this case. If you
really plan on capturing for a few days, then you'll most likely run into memory
issues[1]. You are far better off running dumpcap with the most restrictive
capture filter you can, possibly even setting the smallest snaplen you require
(if possible, depending on your needs/requirements) and utilizing dumpcap's ring
buffer options to further limit the size of the capture files to more manageable
levels.
... unless of course you have tons of memory and very low utilization on your
network, in which case you might be OK.
[1]: http://wiki.wireshark.org/KnownBugs/OutOfMemory