First off I only use wireless so when selecting the network card there is only one that has traffic on it (pretty sure Im not selecting the wrong one with such limited options). tcp.port == 23 Then I use the terminal (Mac 10.8) to open a telnet session But I see no traffic. If I turn off the filter I see traffic but no way to see (if they are there) my telnet traffic This has to be a setting, I have had this working prior, and have similar problems when filtering for other traffic/ports.
dumpcap:
UPDATE: Just tried this on my windows box and it worked fine. I was wrong and do still need this. I dont understand whats wrong, default install and not seeing but a few packet types. asked 21 Nov '12, 12:40  owengerig edited 27 Nov '12, 10:47 showing 5 of 6 show 1 more comments |
3 Answers:
I double clicked on the adapter en0 this brought up a menu I havnt seen before and it let me uncheck Monitor Mode (which changes Link-Layer header type from: 802.11 plus radiotap header to Ethernet) after changing those options you have to click Start. after that everything worked (saw my packets). Here is why this is strange though. I went into preferences and made sure Monitor Mode was off and that ethernet was selected for the link-layer header type (even now its set to that). However when ever starting a new session with the Caption Options button it seems to enable Monitor Mode and other link-layer header type by default. So my settings were negated by using the Capture Options start method. answered 27 Nov '12, 11:12 owengerig edited 27 Nov '12, 11:13 |
Have a look at the capture options before you start your capture. Chances are that (based on the DISPLAY environment variable) a capture filter is set against your hosts traffic. Simply remove the capture filter and start the capture. answered 22 Nov '12, 04:16  Jaap ♦ I posted an image of my filters but still a little confused as to which one should be deleted? I have not added anything in here so these should be defaults. Which ones can/should I delete? Like I said these are defaults so I dont think I really need any of them? (25 Nov '12, 07:58) owengerig I have since reinstalled wireshark and most of those are gone. still not working though (26 Nov '12, 07:12) owengerig |
O.K. then you are (most certainly) capturing on the wrong interface. What is the output of the following command:
Regards answered 26 Nov '12, 08:29  Kurt Knochner ♦ I type that in the terminal correct? I get nothing back. And if I capture on all devices I still get nothing (from the ping test) (26 Nov '12, 09:57) owengerig Yes, in the terminal. No output at all? Did you try to run it with sudo?
(26 Nov '12, 10:15) Kurt Knochner ♦ Sorry didnt think to do sudo, see update for results. (26 Nov '12, 10:38) owengerig O.K. so, did you capture on en0? (26 Nov '12, 11:59) Kurt Knochner ♦ yes and still nothing. Regardless of wether Im doing telnet or ping (10.8.30.141). With the filter ip.addr == 10.8.30.141 (26 Nov '12, 12:15) owengerig o.k. something different. run tshark with sudo:
Then ping/telnet your host 10.8.30.141 in a second window. Do you see anything? If yes, try it without sudo. If that does not work, it's probably a privilege problem. Then try to run Wireshark with sudo:
Do you now see something? BTW: Just by chance. There is a utun0 interface. You are not trying to ping something through a VPN tunnel, are you? (26 Nov '12, 12:49) Kurt Knochner ♦ I have monitor and promiscuous modes enabled (try disabling them but it didnt help). is this normal though? (27 Nov '12, 11:03) owengerig showing 5 of 7 show 2 more comments |
do you telnet your own machine (where wireshark is running) or a different one?
telneting from my machine to another machine
if you ping the remote machine, do you see that in Wireshark?
I dont think so but Im not sure how to filter ping traffic? I tried ip.addr == 127.0.0.1 with a continuous ping (to the 127 address) and NOTHING showed up.
if you ping localhost (127.0.0.1), you will only see that if you capture on the loopback interface (lo). At least on linux it works that way.
But why did you ping the localhost address and not the remote address??
i used the filter for the remote ip (ip.addr == 10.8.30.141) and did the continuous ping but did not see anything.