Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Newbie question

From: "Tom Maugham" <Thomas@xxxxxxxxxxx>
Date: Sun, 23 Sep 2007 19:25:03 -0400

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Sunday, September 23, 2007 6:19 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Newbie question

On Sun, Sep 23, 2007 at 05:38:57PM -0400, Tom Maugham wrote:
> Thanks for the info...
> 
> It appears that I have two problems:
> 1) The adapter in my laptop needs to be
> set to promiscuous mode and I cannot see any way to do that

Not quite, Wireshark puts the capturing interface it uses in
promiscuous mode by default. Unfortunately a lot of wlan-drivers
don't pass the packets that are not destined to the card  to the 
system when the card is put into promiscuous mode. In short, you 
will only see the packets to and from your own pc instead of all
the packets on the wire^H^H^H^Hair

Sometimes it's even worse, the driver will not send any packets
to the system when the card is put in promiscuous mode. In those
cases you need to disable "Capture in promiscuous mode" in the 
capture options screen to be able to see your own packets in
wireshark.

That's what appears to be the case. Is there any way around this?


> and 2) I won't
> be able to see packets to/from the hard-wired pc. Is that correct?

Not quite ;-)  What I meant was that if you use to wired PC to 
capture the packets instead of the wireless PC, you will also not
see the all the packets. This is because the PC is connected to
a switch, which learns to which of it's ports each system is 
connected to and only forwards traffic destined for the connected
system(s) out a port. You might want to read the Wiki-article
about that again. It will give you some insight in what kind
of traffic you can expect when you connect the PC to some type 
of device.

It appears that I must use the wired pc to see the traffic to/from that pc
which unfortunately I cannot do. I can only use the laptop.

Hope this helps, Cheers,


Sake

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
> Sent: Sunday, September 23, 2007 2:23 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Newbie question
> 
> On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote:
> > I have just installed Wireshark on a laptop which I want to use to
monitor
> > my home network. My setup is three desktops connected to a Westell 327W
> > Verizon DSL wirless router. One desktop is hardwired and the other two
and
> > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and
> all
> > the other desktops and the laptop are XP Home SP2. 
> > 
> > When I initiate Wireshark on the laptop it seems to see everything that
is
> > occurring on the laptop but not very much on the other PCs. Why is that?
> Am
> > I expecting too much from Wireshark or do I not have it configured
> properly?
> 
> Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN :
> 
> ----- <quote> -----
>  Capturing WLAN traffic on Windows depends on WinPcap and on the
underlying
> network adapters and drivers. Unfortunately, most drivers/adapters support
> neither monitor mode, nor seeing 802.11 headers when capturing, nor
> capturing non-data frames.
> 
>  Promiscuous mode can be set; unfortunately, it's often crippled. In this
> mode many drivers don't supply packets at all, or don't supply packets
sent
> by the host.
> ----- </quote> -----
> 
> Also when you try to capture all the traffic on the PC with the hard-wired
> connection, you won't see all the packets since the network is switched.
> Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for
> more details on what traffic you are able to see on which type of
> network-connections.
> 
> Hope this helps, Cheers,
> 
> 
> Sake
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users