Hi, I need some help. I have installed Wireshark on a PC that is connected to a switch, this inturn is connected to a Motorola CMM and then to multiple Motorola Canopy backhauls which then feed to CMM and then onto the AP/SM. all these are on 10.x.x.x I can see some of the 10.x.x.x IP addresses, I can also see some of the customers IP addresses (i.e. 75.x.x.x, 206.x.x.x) but these are random IP addresses across the network. I have been told that this may be because of the switch or CMM, is there a solution for this? Is there a way to force an IP address into the filter so I can check just 1 IP address? With the results I get I just want to see what websites are being viewed - just to monitor how many are logging onto netflix for example! Thanks Steve asked 17 May '12, 11:17  stevewarden0 |
One Answer:
Based on the information you provided, I assume your PC is connected to a simple access port on the switch. In that case, you will only see your own traffic and broadcast traffic within Wireshark. Maybe that's the traffic you are capturing (10.x.x.x local broadcasts, 75.x.x.x, 206.x.x.x broadcasts from systems behind the CMM). If you want to capture the whole traffic, you need to configure port mirroring on your switch or use a TAP or any other method described here: http://wiki.wireshark.org/CaptureSetup/Ethernet
In that case you need to mirror/monitor the port where your WAN (Internet) router is connected to your switch (see wiki above and your switch manual). Use the following capture filter to capture DNS requests and HTTP(s) requests:
After you have captured enough data, you can look for netflix requests with this display filters:
Regards answered 17 May '12, 15:03  Kurt Knochner ♦ edited 17 May '12, 15:12 |
