This is our old Q&A Site. Please post any new questions and answers at

I have read the FAQ: When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

I have read the explanation for that question a couple times, and am not sure I really understand what's going on. What exactly is a switched network, and how do I know if I have one?

I am using a broadcom network card. Is this one of the cards that does not support promiscuous mode?

Thanks for any response.

asked 12 Jan '11, 20:12

Desh's gravatar image

accept rate: 0%

This Wireshark Wiki article discusses this in detail.

permanent link

answered 12 Jan '11, 22:41

Jaap's gravatar image

Jaap ♦
accept rate: 14%

hey try using cain and abel's sniffer to capture packets with the APR enabled, it captures even on switched networks :) -swampfox out

permanent link

answered 14 Jan '12, 18:10

swampfox's gravatar image

accept rate: 0%

Using Cain&Abel to sniff packets is an "unfriendly" way to capture data in most cases (eavesdropping). You should be very careful before doing something like this in a work environment or there might be trouble.

(15 Jan '12, 17:52) Jasper ♦♦

if your in a work area it shouldn't make a difference. using cain's APR feature Captures the same packets as wireshark just uses a differnent method of capture. (cain and abel download link)

(15 Jan '12, 22:02) swampfox

btw if your half routing a computer the source in wireshark may say the source name with a .local behind it. im not quite sure what this means but i suspect its only capturing a half of the normal ammount of packets. anyone got some ideas?

(16 Jan '12, 11:19) swampfox

If you're in a work area, the organization's IT department might give you some trouble if you do ARP poisoning on your network. Wireshark does not include ARP poisoning capabilities, so it does not attempt to fool a switch into sending traffic to it; Cain does, and thus can capture traffic that Wireshark can't see.

(16 Jan '12, 11:24) Guy Harris ♦♦

If you were in my work area, we'd shut down your network port(s) until we could figure out who you were. Then we'd shut down your user account until your supervisor could have a chat with you. After re-enabling your account, we'd subject you to extra scrutiny for about a month.

(16 Jan '12, 16:05) Jim Aragon
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 12 Jan '11, 20:12

question was seen: 22,500 times

last updated: 16 Jan '12, 16:05

p​o​w​e​r​e​d by O​S​Q​A