Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Capture Filter

From: "Michael Condon" <admin@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 14 Oct 2008 21:33:39 -0500
But at some point the traffic is not on their private switched network - it is sending/receiving IP packets from various addresses on the internet. This may be a DAQ (Dumb Ass Question), but isn't this traffic open to capture? ----- Original Message ----- From: "Guy Harris" <guy@xxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Tuesday, October 14, 2008 8:22 PM
Subject: Re: [Wireshark-users] Capture Filter



On Oct 14, 2008, at 5:56 PM, Michael Condon wrote:

This is a blind attempt to capture traffic to/from an IP address. Is
there a
less obtrusive alternative to capturing this traffic than
infiltrating the
internal infrastructure?

I.e., if you're on a switched network, and you want to capture traffic
to or from a particular IP address from or to *all* machines on that
switch, is there a less obtrusive alternative than replacing the
switch with a hub or using a monitor port?

That depends on your definition of "obtrusive".

The only alternatives are the ones listed on

http://wiki.wireshark.org/CaptureSetup/Ethernet

and, if *I* were a network administrator, I'd consider all of the ones
that work "obtrusive", and would consider the alternatives to "use a
switch port", such as ARP poisoning or MAC flooding, to be actively
*hostile* if I weren't the one doing the capturing.

Switches don't send all traffic to them through all ports - that's
kind of the point of a switch, to allow more traffic to pass through
it than can be sent over a single Ethernet link - so the only way to
see all traffic going through a switch is to capture on a port that,
either by configuring the switch (with a monitor port) or bludgeoning
the switch (e.g., ARP poisoning or MAC flooding), manages to get all
traffic forwarded to it.

Note that if more traffic is passing through the switch than can be
sent out to a port on the switch, all of those solutions *will* drop
traffic.  Note also that the switch knows absolutely nothing about
your capture filter; unless its monitor-port feature can be configured
to check IP addresses and forward only matching packets to the monitor
port (i.e., unless the switch has its own notion of filters at that
level), even if your capture filter would select less traffic than can
be sent out to a port on the switch, it won't prevent packets from
being dropped.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users