Wireshark-users: Re: [Wireshark-users] Newbie question

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 24 Sep 2007 00:19:08 +0200
On Sun, Sep 23, 2007 at 05:38:57PM -0400, Tom Maugham wrote:
> Thanks for the info...
> 
> It appears that I have two problems:
> 1) The adapter in my laptop needs to be
> set to promiscuous mode and I cannot see any way to do that

Not quite, Wireshark puts the capturing interface it uses in
promiscuous mode by default. Unfortunately a lot of wlan-drivers
don't pass the packets that are not destined to the card  to the 
system when the card is put into promiscuous mode. In short, you 
will only see the packets to and from your own pc instead of all
the packets on the wire^H^H^H^Hair

Sometimes it's even worse, the driver will not send any packets
to the system when the card is put in promiscuous mode. In those
cases you need to disable "Capture in promiscuous mode" in the 
capture options screen to be able to see your own packets in
wireshark.


> and 2) I won't
> be able to see packets to/from the hard-wired pc. Is that correct?

Not quite ;-)  What I meant was that if you use to wired PC to 
capture the packets instead of the wireless PC, you will also not
see the all the packets. This is because the PC is connected to
a switch, which learns to which of it's ports each system is 
connected to and only forwards traffic destined for the connected
system(s) out a port. You might want to read the Wiki-article
about that again. It will give you some insight in what kind
of traffic you can expect when you connect the PC to some type 
of device.

Hope this helps, Cheers,


Sake

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
> Sent: Sunday, September 23, 2007 2:23 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Newbie question
> 
> On Sun, Sep 23, 2007 at 02:03:09PM -0400, Tom Maugham wrote:
> > I have just installed Wireshark on a laptop which I want to use to monitor
> > my home network. My setup is three desktops connected to a Westell 327W
> > Verizon DSL wirless router. One desktop is hardwired and the other two and
> > the laptop are wireless. The hard-wired desktop is using XP Pro SP2 and
> all
> > the other desktops and the laptop are XP Home SP2. 
> > 
> > When I initiate Wireshark on the laptop it seems to see everything that is
> > occurring on the laptop but not very much on the other PCs. Why is that?
> Am
> > I expecting too much from Wireshark or do I not have it configured
> properly?
> 
> Have a look at http://wiki.wireshark.org/CaptureSetup/WLAN :
> 
> ----- <quote> -----
>  Capturing WLAN traffic on Windows depends on WinPcap and on the underlying
> network adapters and drivers. Unfortunately, most drivers/adapters support
> neither monitor mode, nor seeing 802.11 headers when capturing, nor
> capturing non-data frames.
> 
>  Promiscuous mode can be set; unfortunately, it's often crippled. In this
> mode many drivers don't supply packets at all, or don't supply packets sent
> by the host.
> ----- </quote> -----
> 
> Also when you try to capture all the traffic on the PC with the hard-wired
> connection, you won't see all the packets since the network is switched.
> Have a look at http://wiki.wireshark.org/CaptureSetup/Ethernet for
> more details on what traffic you are able to see on which type of
> network-connections.
> 
> Hope this helps, Cheers,
> 
> 
> Sake
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users