Wireshark-users: Re: [Wireshark-users] Understanding what I'm seeing

From: Chad Webb <Chad.Webb@xxxxxxxx>
Date: Wed, 10 Oct 2007 13:45:20 -0500
Bill,
  That's exactly what I've done.  Without the system being a monitor,
capturing packets while browsing the Internet displays packets as I expect.

-Chad



Bill Baltas said the following on 10/10/2007 1:30 PM:
> Chad,
> 
> Your capture ports look okay.  Could you have a capture filter defined in Wireshark?
> Also, are you sure the capture workstation is not working properly.
> 
> One easy way to check the workstation is to turn off the capture to the 
> destination port (no monitor session 1 destination interface Gi0/22).  Give
> 
> this PC an IP address, turn on wireshark and browse the Internet.  You should
> see all of the TCP traffic to and from this machine.  If you get the same 
> results as before, its a problem with your machine or your wireshark configuration.
> 
> Good Luck
> Bill Baltas 
>>I'm currently using version 0.99.6 on a Windows platform.
>>
>>I have the following configuration set up on my Cisco 3560 switch.
>>
>>monitor session 1 source interface Gi0/21 (Windows XP Desktop)
>>monitor session 1 destination interface Gi0/22 (Windows XP Laptop
>>w/Wireshark application)
>>
>>I start a capture, selecting the interface connected to the switch.
>>  The
>>capture returns traffic, but all that I'm seeing is what appears to be
>>mostly ARP, Broadcast, DNS Queries and some UDP traffic (all expected).
>> What I'm not seeing is the TCP STREAMS.....I can see some TCP traffic
>>but not the entire stream....so I can't follow any of them.  For
>>example, I've been trying to uncover an issue with IMAP mail clients
>>having "network disconnects" to a remote server.  When I do anything in
>>my mail all I see is Echo traffic and Source = "localhost" and
>>destination is shown as the system on which my mail client resides.
>>
>>Why can't I see the traffic across the switch like I'm expecting to?
>>  Do
>>I have something misconfigured.  I
>  haven't done this too often but I
>>though I had once before and saw all of the traffic as normal.
>>
>>Please help.
>>
>>Thanks,
>>
>>Chad Webb
> 
> ------------------------------------------------------------------------
> Fussy? Opinionated? Impossible to please? Perfect. Join Yahoo!'s user
> panel
> <http://us.rd.yahoo.com/evt=48516/*http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
>> and lay it on us.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users

-- 
Chad S. Webb
Systems Administrator
General Dynamics Information Technology
NOAA\NESDIS\NCDDC
Bldg 1100 Rm 117
Stennis Space Center, MS 39529
Voice: 228.688.3808
Email: Chad.Webb@xxxxxxxx; chad.webb@xxxxxxxx
www.gdit.com