This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture traffic

0

I have 2 PC's set up to use Wireshark. Each PC has a different version of wireshark. I have set the ports up to be monitor ports. I have set up what vlans I want to capture. I only see broadcast traffic being captured. The interface on the switch shows unicast traffic going out the port toward the PC running wireshark. I never get it. I have no filters of any kind capture or display filters being used. Does anyone have any thoughts on this. The switch type is Cisco Nexus 7k

asked 14 Jan '11, 14:40

hotchilidog's gravatar image

hotchilidog
1111
accept rate: 0%


One Answer:

2

This is a little confusing - you have one switch, and two PCs? Our are there two switches, each with one PC connected to a monitor port? And have you created a monitor session with the VLAN as source and the monitor port as destination?

Anyway, if you're trying to capture VLANs you need to keep a few things in mind. First of all, you might need to tell the switch that you want to include the VLAN tags in the mirror session (on Cisco there should be an "encapsulation" option when setting the monitor session) - otherwise the switch will strip the tags and you might have problems to identify where the frames are coming from.

And second, and that is something tricky: the network cards in the Wireshark PCs must be capable of handling VLAN tagged frames. I had that problem with a couple of IBM Thinkpads a few years back: they did get the VLAN tagged frames but discarded it, and Wireshark never saw them. I tried all NIC parameters but I couldn't get them to forward the frames - the solution was to use an add on PCMCIA card (the good old Xircom Ethercard), and suddenly the frames where captured. Now, everytime I get a new notebook I check if it can handle VLAN tagged frames before going out to capture at customer sites :-)

answered 15 Jan '11, 09:06

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

The topology is 2 Cisco 7K's and 4-6500 switches. Each switch has a port Channel to each nexus 7K switch. This is why you have to have a monitor session set up on each Cisco 7K. The ports between the 2 6500 also have GLBP running for each VLAN. I can see the GLBP IP of each switch.

The purpose of this exercise is to have an audiolog record specific VOIP conversations. UDP/RTP Traffic. You mentioned a PCMCIA add on. Do you mean buy an external card that plugs into the USB port or is there an add on in the software?

(16 Jan '11, 09:26) hotchilidog

I meant a 32bit PCMCIA hardware card that can be plugged into a notebook featuring a PCMCIA slot. Those are getting pretty rare today as most notebook manufacturers do not put them into their products anymore. If you want to see if the network card is the reason why you see no unicast traffic you should try to find PCs/notebooks with other NICs built in to check if they can capture those. In my experience Intel Pro cards should work fine. If two or three different cards still show no frames I bet the problem is not in the card but with the capture session.

(16 Jan '11, 14:55) Jasper ♦♦