This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to see traffic from specific internet line?

0

Hi,

We have 3 internet connection in our organization, how to see traffic from only one internet line in Wireshark. We are ok with display as well as capture filter.

Thanks.

asked 30 Sep '13, 00:21

pranitkothari's gravatar image

pranitkothari
515610
accept rate: 100%

One Answer:

1

How to see traffic from specific internet line?

It depends on your setup.

Case #1:

ISP1 --------+
             |
ISP2 ------router ---- switch ---- LAN/PC
             |
ISP3---------+

You need to capture on the router to be able to separate the traffic of the three lines (DSL/Cable/whatever), as the router will distribute the traffic over the three lines at its will. If the router does not support packet capturing, your chances to separate the traffic are limited or even bad, as capturing on the physical line to each provider is usually only possible with special hardware (depends on the nature of those links - DSL, Cable, ISDN, T1, etc.).

Case #2:

Without thinking about the 'problem' of the default route.

ISP1 --- router 1 ---+
                     |
ISP2 --- router 2 --switch ---- LAN/PC
                     |
ISP3 --- router 3 ---+

You need to capture in front of each router (by using a TAP or port mirroring on the switch) to be able to separate the traffic to the three ISPs.

++ UPDATE ++

Case #3:

See comments below.

ISP1 router ---+
               |
ISP2 router ---+---router/gateway ---- switch ---- LAN/PC
               |
ISP3 router ---+

Regards
Kurt

answered 30 Sep '13, 02:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Sep '13, 02:50

I am on Gateway, that means all traffic pass through my machine. I just wanted to check, traffic from particular internet line.

(30 Sep '13, 02:27) pranitkothari

I am on Gateway, that means all traffic pass through my machine.

What does that mean? Your PC is the router for all three internet lines? So, Case #1 is true for your environment, with your PC being the router?

If that is true, your PC should have either

  • three interfaces which you can capture on to separate the traffic (please add more information about the interfaces and your OS on the gateway in this case)

or

  • three gateways where it distributes traffic to (e.g. 3 DSL routers) like Case #3 (see the UPDATE in may answer). In that case, you can use the MAC address of the routers to distinguish the traffic

Capture Filter: ether host 00:01:02:03:04:11
Display Filter: eth.addr eq 00:01:02:03:04:11

(30 Sep '13, 02:34) Kurt Knochner ♦