This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to monitor trafic to google servers?

I can no longer use google search . It says that my network is sending automatic requests. I discovered wireshark and I want to ask if I can use it to know what computer (lan ip) is sending all this queries to google. Maybe it has a virus or something.

If It's possible to do this, how do I do it ? Im not a network specialist.

trafic google

asked 25 Nov '13, 01:41

Loling Stones
16●1●1●2
accept rate: 0%

edited 26 Nov '13, 04:44

Kurt Knochner ♦
24.8k●10●39●237

2 Answers:

It's possible for this to happen when you are using a proxy server; therefore, what I would suggest you do first is connect to Google through another internet connection to further see if it is the LAN that's actually causing this. I am still new to Wireshark as well, so I'd like to know the answer to your question as well. (:

Good Luck!

answered 25 Nov '13, 06:15

GasShark
11●2
accept rate: 0%

Here is what google recommends to identify the problem.

https://support.google.com/websearch/answer/86640

UPDATE

And what google recommends (installing a few malware /antivirus and scaning for malicios software) is not viable

O.K. then you need to capture the traffic in front of your internet router (LAN side). Please read the following wiki how to do that

http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_monitor_mode_of_the_switch

You will need to mirror/monitor the switch port where your internet router is connected to. If you don't have a switch with port mirroring, these are your options:

buy a small (cheap) switch with that capabilities: http://ask.wireshark.org/questions/13892/port-mirror-switch
try to capture packets on your internet router if it supports that
use a PC with two interfaces in bridge mode to capture traffic in front of your internet router http://wiki.wireshark.org/CaptureSetup/Ethernet#Capture_using_a_machine-in-the-middle

As soon as you can capture traffic, you need to run that capture for some time (maybe a few minutes, maybe a few hours, maybe days - if the offending device is currently switched off).

BEWARE: You cannot simply run Wireshark for several hours/days, as your system will run out of RAM. Instead, please use dumpcap to capture only traffic to google servers (based on IP ranges). Please read the Wireshark docs to figure out how that works!

http://www.wireshark.org/docs/

Regards
Kurt

answered 25 Nov '13, 06:43

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 26 Nov '13, 04:46

The problem exists on all lan's devices, not just a computer. And what google recommends (installing a few malware /antivirus and scaning for malicios software) is not viable if for example you got 50 pcs (i dont have that many) in the network. Also a lot of pcs got top-end antivirus software, so it can be other reason for the high requests sent to google.

I was able to bypass this issue using different google servers (not the one given by DNS), but It would be nice to know how to use Wireshark to find the root of the problem.

(26 Nov '13, 04:16) Loling Stones

see the UPDATE in my answer.

(26 Nov '13, 04:41) Kurt Knochner ♦