Wireshark traffice capture- one subnet to another subnet

1

My setup is a computer with wireshark connected to switch on LAN network. The subnet IP that the wireshark is on is .0.# . I would like to capture traffic between subnet IP of .0.# and .2.#. However when I include the filter:

tcp and ip.addr==192.###.2.# && ip.addr==192.###.0.# (with # being numbers), I do not see traffic between those two IP's ? I have ping both IP FINE!

So is this possible and by click Edit Filter and putting in the above am I setting the filter correct?

Links or Tutorials would be great!

Benjamin Jones

Posted 2013-09-25T20:48:07.190

Reputation: 526

2Be aware: You can't watch traffic on a switch unless it's coming or going to/from the computer with Wireshark installed. That is, unless your switch supports configuring a monitoring port. – Ƭᴇcʜιᴇ007 – 2013-09-25T20:56:51.093

Answers

2

You need to make sure the switch is sending this traffic to the port that the Wireshark machine is plugged into. You can do this in a number of ways:

  • If it's a manageable switch that supports port monitoring (also called port mirroring or other similar names) you can see what port one of your target endpoint machines (or the router between the subnets) is plugged into, and mirror that port to the port your Wireshark machine is on.
  • If you don't have a manageable switch, but you happen to have a hub around, you can use a hub instead of the switch (or between the switch and one of the traffic endpoints). Unfortunately, there's no such thing as a gigabit switch, so this solution only works if you're okay with 10/100 mbit speeds.
  • Run Wireshark on one of the endpoints of the test, or on the router that's connecting the subnets. Sometimes running a sniffer on one of the devices involved in the test can interfere with the test, so caveat lector.

Spiff

Posted 2013-09-25T20:48:07.190

Reputation: 84 656

Asked: 2013-09-25T20:48:07.190

Viewed: 2 028 times

Active: 2013-09-25T21:05:05.967