Wireshark-users: [Wireshark-users] Understanding what I'm seeing

From: Bill Baltas <wbaltas@xxxxxxxxx>
Date: Wed, 10 Oct 2007 11:30:19 -0700 (PDT)
Chad,

Your capture ports look okay. Could you have a capture filter defined in Wireshark?
Also, are you sure the capture workstation is not working properly.

One easy way to check the workstation is to turn off the capture to the
destination port (no
monitor session 1 destination interface Gi0/22). Give

this PC an IP address, turn on wireshark and browse the Internet. You should
see all of the TCP traffic to and from this machine. If you get the same
results as before, its a problem with your machine or your wireshark configuration.

Good Luck
Bill Baltas

>I'm currently using version 0.99.6 on a Windows platform.
>
>I have the following configuration set up on my Cisco 3560 switch.
>
>monitor session 1 source interface Gi0/21 (Windows XP Desktop)
>monitor session 1 destination interface Gi0/22 (Windows XP Laptop
>w/Wireshark application)
>
>I start a capture, selecting the interface connected to the switch.
> The
>capture returns traffic, but all that I'm seeing is what appears to be
>mostly ARP, Broadcast, DNS Queries and some UDP traffic (all expected).
> What I'm not seeing is the TCP STREAMS.....I can see some TCP traffic
>but not the entire stream....so I can't follow any of them. For
>example, I've been trying to uncover an issue with IMAP mail clients
>having "network disconnects" to a remote server. When I do anything in
>my mail all I see is Echo traffic and Source = "localhost" and
>destination is shown as the system on which my mail client resides.
>
>Why can't I see the traffic across the switch like I'm expecting to?
> Do
>I have something misconfigured. I haven't done this too often but I
>though I had once before and saw all of the traffic as normal.
>
>Please help.
>
>Thanks,
>
>Chad Webb


Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user panel and lay it on us.