trying to deterine if winpcap has been loaded automatically by wireshark

[rookie1010]

Hi,

I wanted to use wireshark to learn how to analyse the traffic. I am not captring any packets. i was wondering if the winpcap driver was active. i have installed it but i am not sure it is loaded automatically by the wiresahrk interface. is there any way i could determine it's loading or non loading?

 

[robmurphy]

Winpcap should be installed when you install wireshark. I think it gives you the option that winpcap should run as a service, so that all the users of the computer can capture.

Check the interface used for capture. Its under the capture menu. That should give you a list of adapters you can capture from.

You need some traffic through the adapter to capture. Make sure the NIC is connected to a network or the internet. Start the capture on wireshark.

To generate some traffic on the local network try copying a file to/from another PC on the network. That should give you some traffic to capture.

If the PC is connected to the internet the just browse a few web pages, and that will give you the traffic.

Rob Murphy

 

[rookie1010]

thanks for the reply,

i have got 2 laptops and a desktop connected to my router using wireless. my desktop has an ip address of 192.168.1.254 whereas my laptop running wireshark has an ip address of 192.168.1.70.
i only seem to be able to capture traffic from 192.168.1.70. i have checked the capture options, and ther "capture packets in prmiscous mode" is selected. why isn't wireshark collecting the other traffic?

 

[Nothinman]

Try it on the wired network first, it's possible that your wireless driver is only letting you see packets destined for you.

 

[rookie1010]

you mean conect my laptop to my router using the wired connection and then check the packets. but if i were to plug in my latop to a physical port on the router, would that physical port not be mapped to an ip address and hence i will not be able to see other traffic meant for my wireless desktop and other laptop

 

[Cooky]

On which machine is Wireshark installed?
You can only see either local or broadcast traffic if you don't have SPAN set up.

 

[rookie1010]

thanks for the reply,

wireshark is installed on the machine with ip address 192.168.1.270 and i am trying to capture traffic meant for 192.168.1.254

is SPAN an option within wireshark or is it a plugin?

 

[Cooky]

After a closer look at your original post, it looks like your machines are all connected to the router through wireless?
Not sure how you can get it to work...see traffic for 192.168.1.254 is only going between that host and the router, which is why you're not seeing it from 192.168.1.270.

SPAN is not a setting in the software. It's a feature that's available on enterprise switches so never mind that.

 

[rookie1010]

i thought that wiresharks is a packet sniffer which captures all the traffic in the vicinity. since all the traffic associated with my router has got the same WPA key so it should be able to decipher and log all the traffic

so traffic destined to 192.168.1.254 would be sniffed and displayed by wireshark, correct?

 

[robmurphy]

The LAN ports and the wireless connection on your router act like a switch. The switch will have learnt the MAC addresses that are connected to each port. When the switch gets a packet it will route it to the port with the destination MAC address, i.e. it will switch the packet.

There is no real way to monitor all the LAN traffic on the router on one PC. You could run wireshark on all the PC/Laptops on the router if thats what you realy want.

If you want to study what goes on you will need a switch with a mirror port. That will mean a managed switch, or at least a web managed switch. You may be able to get an old CISCO Catalyst switch off ebay quite cheap. Just check that the switch will be quick enough for you. In the UK there are alot of 1900 Catalyst switches for sale but these only have 10 BT ports not 100 BT.

You can setup the CISCO switch so one port can be used to monitor the traffic on other ports. That is what I call a mirror port. I think that is what Cooky meant. I do not think that you have to have the enterprise level software (or switch) to use port mirroring however.

The web managed Dell switches will also allow you to set up a mirror port, and these can be bought for about 80 - 90 pounds in the UK for the 16 port version (Power connect 2716). The 2716 switch also has gigabit ports with 9k jumbo frames.

I think some of the managed 3 com switches also allow you to setup a mirror port.

If you do not want to get a switch then see if you can find an old hub. Some of these had 100 BT ports. Because its a hub not a switch each packet it receives is sent to all the other ports. This means you can monitor all the traffic on that HUB at one point. For monitoring HUBs are good, for actual data communications they are not so good.

Rob.

 

[rookie1010]

thanks for the reply,

i thought wireshark has a packet sniffer which sniffs all traffic in the air?

i saw ethereal being used on an SMPP link used to sniff and verify traffic between an ESME and a handset. is that done with mirrored switches?

what is a BT port?

 

[robmurphy]

If you want to cature wireless traffic I suggest you have a look at Aircap.
See: http://www.cacetech.com/products/airpcap_family.htm


BT is BASE-T. It describes the interface ethernet uses for twisted pair. You can have 10BASE-T (10 BT) works at 10 Mbs, 100BASE-T (100 BT or fast ethernet) works at 100 Mbs, and 1000BASE-T (usualy described as gigabit) works at 1000 Mbs. I Mbs = 1 Million bits per sec. Most switches and routers these days are 100 BT, with gigabit interfaces starting to appear.

Rob.

 

[Nothinman]

i thought wireshark has a packet sniffer which sniffs all traffic in the air?

It can only see what the driver presents to it, so if the driver doesn't support promiscuous or monitor mode then you'll never get anything beside what is broadcast or aimed at your NIC.