Wireshark-users: Re: [Wireshark-users] Learning to setup WS to see TCP and HTTP

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 27 Mar 2008 15:38:20 -0700

On Mar 26, 2008, at 7:57 PM, Rudyard Wallen wrote:

OK, some of that went over my head but I think I got the gist. So I
guess the big question is: Is there a way to see HTTP on this network
combo of wired and wireless machines that all are connected to this one
router?

Yes - run Wireshark/TShark, or dumpcap, or tcpdump/WinDump, on the machine that's sending out and receiving the HTTP traffic.

You *might* be able to see that traffic from another machine if it's wireless traffic and you're capturing on a machine/OS/driver/wireless adapter that supports "monitor mode" (if it's Windows, monitor mode is only supported in Vista, and even there it's not supported by WinPcap, which is what Wireshark uses to capture traffic on Windows; you could also get an AirPcap adapter:

	http://www.cacetech.com/products/airpcap_family.htm

and use that, but they're not cheap).

If it's wired traffic (i.e., a machine plugging into an Ethernet interface on the WRT54GS), you're probably out of luck, unless the WRT54GS supports "port mirroring".

Update: I just connected my laptop via Ethernet to the router. My tower
is running Wireshark. I see the IP address of my laptop (a Mac) but it
only shows IGMP, MDNS and UDP packets for that source IP. Could I have
this thing setup wrong?

IGMP is for managing multicast groups, so at least some IGMP packets are probably multicast.

The "M" in "MDNS" stands for... multicast, so its packets are multicast.

The other UDP packets you're seeing are probably also broadcast or multicast.

I.e., this is the same problem. You're plugging into a switch, which means you aren't necessarily going to see all the traffic passing through the switch; a switched Ethernet is different from a traditional Ethernet in that fashion.