When trying to sniff ips on my network, I am not displayed with their ips, but the names of the network instead. Here is a picture --> http://tinypic.com/r/5ww2n9/5 if anyone can help me make it so that i can see the different ips, that would be awesome. Im sniffing through En1 (wirelessly) i had it working a while back, but i assume i accidentally did something to screw it up. Thanks a ton asked 09 Nov '13, 21:54  spinz edited 09 Nov '13, 21:55 |
One Answer:
Is your network [an Ethernet segment plugged into a Cisco Cable Modem Termination System in order to snoop DOCSIS (networking over cable TV) traffic]? If not, then turn off the "Treat all frames as DOCSIS frames" preference for the Ethernet dissector, and don't select DOCSIS as a link-layer header type when capturing on Ethernet.
You probably either turned "Treat all frames as DOCSIS frames" on or captured with DOCSIS specified as the link-layer header type. If you did the first of those, turning the option off should be sufficient. If you did the latter, the capture file has the wrong link-layer header type, but you could fix it by running the command and then renaming the output file on top of the input file. (You did install the command-line tools when installing Wireshark, right? If not, do so.) answered 09 Nov '13, 22:48  Guy Harris ♦♦ |
hi thank you so much for your reply. I turned off "treat all frames as docsis frames," but I am still not seeing the ips. here is a picture of my capture.... http://tinypic.com/r/126fais/5
OK, you're now capturing in monitor mode, so you're seeing raw 802.11 frames as they appear on the air (and you see non-data frames, such as beacons, which don't have IP addresses), and you're probably capturing on a protected network (using WEP or WPA/WPA2), which means the frames you capture are encrypted, and to see their contents - including the IP headers! - you'd need to give Wireshark enough information to decrypt them.
Either don't check the "Monitor mode" box for the interface, in which case you'll only capture traffic to and from your machine but you'll get decrypted data, or follow the "how to decrypt 802.11" instructions, in which case you'll see other traffic on your network (although, if you're on a WPA/WPA2 network, you might have to disconnect and reconnect other machines after you start capturing if you want to decrypt their traffic, as you'd need to force them to do the initial "EAPOL handshake").