Wireshark-users: Re: [Wireshark-users] Capture Filter

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 14 Oct 2008 18:22:33 -0700

On Oct 14, 2008, at 5:56 PM, Michael Condon wrote:

This is a blind attempt to capture traffic to/from an IP address. Is there a less obtrusive alternative to capturing this traffic than infiltrating the
internal infrastructure?

I.e., if you're on a switched network, and you want to capture traffic to or from a particular IP address from or to *all* machines on that switch, is there a less obtrusive alternative than replacing the switch with a hub or using a monitor port?

That depends on your definition of "obtrusive".

The only alternatives are the ones listed on

	http://wiki.wireshark.org/CaptureSetup/Ethernet

and, if *I* were a network administrator, I'd consider all of the ones that work "obtrusive", and would consider the alternatives to "use a switch port", such as ARP poisoning or MAC flooding, to be actively *hostile* if I weren't the one doing the capturing.

Switches don't send all traffic to them through all ports - that's kind of the point of a switch, to allow more traffic to pass through it than can be sent over a single Ethernet link - so the only way to see all traffic going through a switch is to capture on a port that, either by configuring the switch (with a monitor port) or bludgeoning the switch (e.g., ARP poisoning or MAC flooding), manages to get all traffic forwarded to it.

Note that if more traffic is passing through the switch than can be sent out to a port on the switch, all of those solutions *will* drop traffic. Note also that the switch knows absolutely nothing about your capture filter; unless its monitor-port feature can be configured to check IP addresses and forward only matching packets to the monitor port (i.e., unless the switch has its own notion of filters at that level), even if your capture filter would select less traffic than can be sent out to a port on the switch, it won't prevent packets from being dropped.