validate capture (can’t see all traffic)

If you can see your traffic but not others, my first thought is that the method you're using to capture the traffic isn't correct.

From your diagram, if I am correct that the "Box" is the system running Wireshark and it is connected directly to the router's WAN port, then it will not receive any local LAN traffic between the 15 hosts. Only traffic destined for IP network(s) for which the router would send out the WAN port will be received by the "Box" in that diagram. To be clear, what do you mean by "WAN + me"? Are you mirroring off of the router to a separate physical machine from "Box"? How is this being done?

A few things to consider here:

• Traffic between machines served by Switch2 on the same vlan will never leave Switch2 toward Switch1.
• Traffic between machines served by Switch1 on the same vlan will never leave Switch1 toward the router or Switch2
• Traffic between machines served across Switch1 and Switch2 on the same vlan will never reach the router.
• Even for traffic which reaches the router, unless the destination IP network is outside of your LAN(s) from an IP routing perspective, it will never be sent across the WAN port to the "Box".

In the setup you describe, the "Box" will see IP traffic routed to or from it by the 15 machines but it will not see any LAN traffic at all.

To be clear on the objective here, is the goal to measure all bandwidth leaving the WAN port specifically? If so, the traffic that you say you observe is exactly what I would expect to see - (all traffic to and from "Box" should be present in a packet capture performed on "Box" to and from the local LANs). Is the goal to see all traffic from all machines, period? If so, I'd suggest "SPAN" or "Port Mirroring" on the switches if they support it.