are there packets wireshark will not capture? I am trying to watch a link between my router and a destination server but I do not see the traffic. I seem to see quite a bit of traffic but not to the server the router is supposed to be sending to. asked 11 Oct '12, 17:55 wrcooke |
One Answer:
Wireshark itself runs "above" the kernel (in userspace), but it has a direct "link" to the kernel via libpcap/winpcap (dumpcap) and thus it will get all packets from the kernel, no matter which protocol level. However, there might be "interfering" software installed on the capturing device, that filters packets before they are handed over to libpcap/winpcap.
According to the description of the OP, I think the Capture Setup is not correct.
Regards answered 17 Oct '12, 10:50 Kurt Knochner ♦ |
You've got to be a little more specific than this...
I wish I could be vastly more specific but I see the app running on the router talking to a server but wireshark does not see that conversation. This is why I ask if there are packet types wireshark cannot capture.
Do you mean you don't see any packets on wireshark? Are you capturing on correct interface? And what is this app you're talking about?
This is most likely a problem related to how the capture setup is done, so you should tell us how you are capturing the data. If you're just attached to the router, and the server has it's own line, you'll not see much of their communication since it is switched.
I might be wrong about this, so someone please correct me if I am, but since Wireshark capture naturally runs above the kernel it can't capture packets that don't appear at higher levels. This may be due to driver or something that maybe filters or redirects the packets. Could this possibly be the problem in your case?