Wireshark-users: Re: [Wireshark-users] Learning to setup WS to see TCP and HTTP

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 26 Mar 2008 19:46:21 -0700

On Mar 26, 2008, at 2:47 PM, Rudyard Wallen wrote:

super new to this, but here goes. OK, I have WS running. I am connected
via ethernet to a Linksys router WRT54GS set for DHCP (I can connect
wirelessly if need be). Other users connect wirelessly (my laptop for
instance). Open system, no security.

I am capturing via the Ethernet card.

I can see the IP address of my laptop coming up, but under protocols I
only see UDP and NPNS.

Presumably that's NBNS (which runs atop UDP) and other UDP protocols.

The packets you're seeing are probably all broadcast or multicast packets.

Is there anyway to see TCP and HTTP?

HTTP runs atop TCP, and TCP doesn't use broadcasts or multicasts. Only broadcast and multicast packets will show up on all the wired ports if they're received by the router.

Do I need to capture via my wireless NIC?

Unless there's a way to put the wired port into which you're plugging the Wireshark machine in a "port mirroring" mode:

	http://wiki.wireshark.org/CaptureSetup/Ethernet#head-5220d760898496c38e928ed3d65ffc8160f6f3a6

you would - and I didn't see anything obvious in the online WRT54GS documentation to indicate that you can do that.

I also don't know whether wireless packets would be forwarded to that port in any case, although as those packets would be sent *out* an Ethernet port to your Internet connection, they might be.

Note that capturing on a wireless adapter probably won't work on Windows:

	http://wiki.wireshark.org/CaptureSetup/WLAN