Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Can't see http packets

From: bart sikkes <b.sikkes@xxxxxxxxx>
Date: Mon, 15 Mar 2010 11:31:26 +0100
hello,

but do you see other traffic then the mentioned broadcast traffic?
what about when you test with ping, telnet, ftp, .....

i would focus on checking if you have the port monitoring setup
correctly (perhaps try with other systems / ports), wireshark with
default settings should just work if the traffic is being provided
correctly in my opinion.

greetings,
bart

On Mon, Mar 15, 2010 at 9:52 AM, Ronan SAVY <R.SAVY@xxxxxxxxxx> wrote:
> Lori,
> Thank for the link but it's what i effectively did, port 16 as monitor and port 25 as mirror (try all option, mirror in, mirror out and both) No luck so far...i keep on searching why I can't see http packet.. though whe I look in my NIC statistics in wireshark I see broadcast an multicast packet
>
> -----Message d'origine-----
> De : Ronan SAVY
> Envoyé : samedi 13 mars 2010 15:31
> À : Community support list for Wireshark
> Objet : RE : [Wireshark-users] Can't see http packets
>
> ok
> as i said i tried every option of monitoring port, may be the restriction seeing only broadcast come from my switches configuration... any hint where i should have a look on switche restriction?
> or may be on wireshark checking for unicast incoming, right?
> ________________________________________
> De : wireshark-users-bounces@xxxxxxxxxxxxx [wireshark-users-bounces@xxxxxxxxxxxxx] de la part de Martin Visser [martinvisser99@xxxxxxxxx]
> Date d'envoi : samedi 13 mars 2010 11:35
> À : Community support list for Wireshark
> Objet : Re: [Wireshark-users] Can't see http packets
>
> My guess is that if you are only seeing NBNS,      DHCP,      ARP,     IGMP protocol packets you are only seeing broadcasts from the rest of the network.
>
> You might need to really check that your port mirroring is working correctly.
>
> Regards, Martin
>
> MartinVisser99@xxxxxxxxx<mailto:MartinVisser99@xxxxxxxxx>
>
>
> On Sat, Mar 13, 2010 at 2:03 AM, Ronan SAVY <R.SAVY@xxxxxxxxxx<mailto:R.SAVY@xxxxxxxxxx>> wrote:
> Hi
> I would like to grab the http packet in order to have a clear view of web usage before configuring some kind of filter over my compagnie network.
> Here is what I installed:
> I have a Windows XP SP3 workstation with wireshark installed on it and 2 nic one is a nvidia nforce and the other a D-link DFE-530TX
> I connected the D-link NIC on port 16 of my 3com 2226-SFP Plus
> Behind my 3 com switch I have 5 3com baseline switches connected in cascade
> On port 25 of my switch I have a Linksys BEFSX41 with on his wan my FAI modem going out on internet
>
> I configured a port mirroring on port 16 from port 25 (I tried mirror in solo, mirror out solo, and both)
> I checked that the D-link nick can work on promiscuous mode (using promqry)
>
> When I launch wireshark from station I can't see any http traffic going out safe from SSDP protocol
> I also see other packet grab from other machine on my network, packet like :
>
> -          NBNS
>
> -          DHCP
>
> -          ARP
>
> -          IGMP
>
> Even when I browse internet on the workstation where wireshark is installed using the second NIC. I can't see the HTTP request going through
>
> May be I did something wrong but I don't know what? I checked the advanced option of my NIC to see if there is Checksum offload option.. but nothing.
>
> Any help would be most welcome as I have no more idea on what else I can do.
> thanks
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx<mailto:wireshark-users@xxxxxxxxxxxxx>>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>            mailto:wireshark-users-request@xxxxxxxxxxxxx<mailto:wireshark-users-request@xxxxxxxxxxxxx>?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>