This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello all:

I'm unable to get Wireshark to view "promiscuously" on my home LAN. Home LAN consists of:

MINT 13 Mate machine one Ubuntu machine (11 something I think) one mac os X laptop and two windows xp boxes

I'm working from the MINT machine (13) and have successfully configured wireshark ( I think ) such that I should be able to successfully capture all the traffic on my network. Checkbox for promiscous mode is checked. ip link show eth0 shows PROMISC.

But traffic captured does not include packets between windows boxes for example. Only traffic to and from the MINT 13 machine ( and broadcasts etc )

Should work but it dosen't.

asked 12 Dec '12, 08:36

jda8818's gravatar image

jda8818
6112
accept rate: 0%

edited 13 Dec '12, 09:12

grahamb's gravatar image

grahamb ♦
19.8k330206


This doesn't have much to do with promiscuous mode, which will only allow your capturing NIC to accept frames that it normally would not. But in your case the capture setup is problematic since in a switched environment you'll only receive frames for your MAC address (plus broadcasts/multicasts).

Take a look at the Wiki page here: http://wiki.wireshark.org/CaptureSetup/Ethernet

permanent link

answered 12 Dec '12, 08:42

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 12 Dec '12, 08:44

Thank you Jasper ...

Home network is not swithched however. Consists of a Netgear 114P Firewall/print server (4 port) connected to an 8 port hub (Netgear FE108). I should see everything, no?

Thanks again Jasper,

J

PS: in this case I'm interested in the traffic from one specific machine, so I guess I could make sure that this particular machine is attached directly to the firewall ... I'll try that now

(12 Dec '12, 08:50) jda8818

Hint: I converted your answer to a comment to keep things tidy.

If your hub is really a hub (and not a "switching" hub, which often happens to be the case - things that work as a switch but being called a hub) you should see everything that any port on that hub sends and receives. As far as I read the PDF manual of the device it really seems to be a hub. You should communicate in half duplex mode if it really is.

If any of the other boxes is directly attached to the Firewall you might not see it, because I guess that the Firewall doesn't work in hub mode but is in fact switching packets.

(12 Dec '12, 08:59) Jasper ♦♦

Well Jasper, I'm making some progress. I moved the MINT machine (with Wireshark) from the Firewall to the hub, and I can now see ping traffic between (for instance) the two XP boxes, which are also no the hub.

Thank You for your knowledge and attention!

(12 Dec '12, 09:10) jda8818

You're welcome :-) If you think your question was solved you might want to accept the answer with the checkmark icon on the left. That way others can see that it helped.

(12 Dec '12, 10:02) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×43

question asked: 12 Dec '12, 08:36

question was seen: 6,879 times

last updated: 13 Dec '12, 09:12

p​o​w​e​r​e​d by O​S​Q​A