I have question about using Wireshark filter. I want to sniff HTTP traffic on destination IP for this case: in our company we have many computers and of course communication server (Microsoft server). All of computers are in domain! So, my question: have computers in domain higher level of security? I have try to sniff dest. ip, and as result get back only ARP packages. Then I try with this filter: (ip.dst == (com.serv.IP) && ip.src == (client.IP)) && http (com.serv.IP) and (client.IP) are IP addresses of course. Can somebody please help me, how to use filter to sniff HTTP traffic? asked 28 Feb '13, 00:53  ninja4it edited 28 Feb '13, 00:57 |
One Answer:
The issue is likely to be your network architecture. Most networks these days are switched which means the switch will only route packets out of the switch port that are directed to the host on that port, along with broadcast packets which go to all hosts. See the Wiki page on Capture Setup for more info. answered 28 Feb '13, 01:38  grahamb ♦ |
Thanks for reply!
So, we must change switch settings .... and what is important for http traffic?
I have just one quick question: Is this may be possible, because we have Proxy server?
Assuming you're using Ethernet, then there are some suggestions on the Capturing on Ethernet wiki page on how to make your capture in a switched environment. You'll have to choose one of the options that is most suitable for your particular environment. If you tell us some more about your environment we may be able to offer appropriate suggestions.
well, if you have a proxy server, why not capture on the proxy server itself?