WireShark: How to monitor traffic, rather than watch packets?

WireShark is good at showing me every packet that is sent or received over an interface.

But I'm really trying to find a way to monitor traffic on a machine. In other words, rather than seeing:

00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532

I would want to see:

00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE  TCP  10.0.0.11:32532 => 10.0.0.12:80  5
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF  TCP  10.0.0.12:80 => 10.0.0.11:32532  5

And if possible, even more advanced logic:

Listen MAC        Listen Addr     Source MAC        Source Addr     Proto  In  Out
================= ============    ================= =============== =====  ==  ==
00-03-FF-54-D8-DE 10.0.0.12:80 <= 00-03-FF-54-D8-DF 10.0.0.11:32532 TCP    5   5
00-03-FF-54-D8-DE 10.0.0.12:80 <= 00-03-FF-54-D8-D3 10.0.0.42:53213 TCP    5   5

In other words, aggregation and grouping.

How can I use WireShark to monitor traffic, rather than capture packets?

Ian Boyd

Posted 2010-09-24T14:05:45.237

Reputation: 18 244

1Unless you've got other reasons for it you might have better luck if you remove the wireshark part of the question. I assume you really just want a traffic monitor that works and it may or may not have anything to do with wireshark. There are traffic monitors like you want, some with graphical interfaces but as it stands people might not mention them. – hotei – 2010-09-24T14:55:58.687

I see that you are watching HTTP traffic. Fiddler is a great program for watching HTTP traffic. – Nick Berardi – 2012-01-11T14:28:51.060

Answers

Wireshark is a terrific program, but there are other freeware and open source alternatives that may be somewhat easier to use. My current favourites are Microsoft Network Monitor and SmartSniff.

Using SmartSniff in summary mode should provide the information you want. Options > Advanced Options > Summary mode: enable; Options > Advanced Options > Retrieve process information: enable; Options > Resolve IP Addresses: enable.

boot13

Posted 2010-09-24T14:05:45.237

Reputation: 5 551

1+1. Wow, SmartSniff is very impressive. It can detect, and use, different methods of capturing traffic: raw sockets, WinPCap, or Microsoft's Network Monitor driver. WireShark could learn something about usability. – Ian Boyd – 2010-09-25T23:03:14.887

What about the

Statistics -> Conversations

window?

You can have name resolution of address and event filter the conversations.

Nicolas

Posted 2010-09-24T14:05:45.237

Reputation: 161

Wireshark is famous for its powerful capability of capturing traffic and protocol analyzing. But if you need to have graphic views of the traffic or monitor network performance, you need to buy Pilot which is a powerful analyzing tool.

However as the above answer said, there is some freeware you can use instead of Wireshark. I recently found a very good one at PC World: Capsa.

Very good one, worth trying.

Julie

Posted 2010-09-24T14:05:45.237

Reputation: 21

+1 for Capsa. Powerful, comprehensive, extremely well designed software. I've added it to my toolkit. Thanks! – boot13 – 2010-09-26T13:37:42.423