This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot see packets from other devices on my network

0

I have read the FAQ: When I use Wireshark to capture packets, why do I see only packets to and from my machine, or not see all the traffic I'm expecting to see from or to the machine I'm trying to monitor?

I have read the explanation for that question a couple times, and am not sure I really understand what's going on. What exactly is a switched network, and how do I know if I have one?

I am using a broadcom network card. Is this one of the cards that does not support promiscuous mode?

Thanks for any response.

asked 12 Jan '11, 20:12

Desh's gravatar image

Desh
1111
accept rate: 0%


2 Answers:

1

This Wireshark Wiki article discusses this in detail.

answered 12 Jan '11, 22:41

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

0

hey try using cain and abel's sniffer to capture packets with the APR enabled, it captures even on switched networks :) -swampfox out

answered 14 Jan '12, 18:10

swampfox's gravatar image

swampfox
11
accept rate: 0%

Using Cain&Abel to sniff packets is an "unfriendly" way to capture data in most cases (eavesdropping). You should be very careful before doing something like this in a work environment or there might be trouble.

(15 Jan '12, 17:52) Jasper ♦♦

if your in a work area it shouldn't make a difference. using cain's APR feature Captures the same packets as wireshark just uses a differnent method of capture.

http://www.oxid.it/downloads/ca_setup.exe (cain and abel download link)

(15 Jan '12, 22:02) swampfox

btw if your half routing a computer the source in wireshark may say the source name with a .local behind it. im not quite sure what this means but i suspect its only capturing a half of the normal ammount of packets. anyone got some ideas?

(16 Jan '12, 11:19) swampfox

If you're in a work area, the organization's IT department might give you some trouble if you do ARP poisoning on your network. Wireshark does not include ARP poisoning capabilities, so it does not attempt to fool a switch into sending traffic to it; Cain does, and thus can capture traffic that Wireshark can't see.

(16 Jan '12, 11:24) Guy Harris ♦♦
1

If you were in my work area, we'd shut down your network port(s) until we could figure out who you were. Then we'd shut down your user account until your supervisor could have a chat with you. After re-enabling your account, we'd subject you to extra scrutiny for about a month.

(16 Jan '12, 16:05) Jim Aragon