Dear Guys Good Day. The first time use WireShark for testing purpose. I tried setup one of my PC as the Wireshark host which attach to a planet core switch, then other PCs will connect to the core switch as well. I tried to start capture and I can see my host IP address activity like destination IP is where and what is the protocol. However, others PC destination only show the last IP address (192.168.0.255), it won't show where is the actual destination like google IP. Anyone can help me on this? Thanks.
JACK asked 30 Sep '14, 18:35  JACKJACK edited 30 Sep '14, 18:56 |
2 Answers:
Have you looked at the Wiki page on capturing in a switched network? A tap is only necessary if your switches aren't able to span or mirror ports, most managed switches can do this. answered 01 Oct '14, 01:55  grahamb ♦ |
You need to have a Tap for your switch to capture traffic of other hosts. answered 30 Sep '14, 18:51  Beldum Thanks for the answer. My wireshark version is 1.12.1. Do you mean that I need to add in a script into my core switch? (30 Sep '14, 19:39) JACKJACK What I mean is that you would need a full-duplex tap to analyze more than one port on a switch or.....or you can SPAN a port on a switch. The best thing to do would be to just obtain a full-duplex tap. (30 Sep '14, 22:23) Beldum |
Dear Beldum and Grahamb
Good Day. Thanks for the guide and comment. I configure the morroring in the switched and now work perfectly as I planned. Thanks for the share, I think most of the new WireShark user may face problem like me as have no idea how to setup.
Hi grahamb
Good Day. As per my answer, I successful trace what I want, but I would like to know how to make WireShark show the actual http location and page in the destination rather than display the host? Thanks.
@JACKJACK
It's not entirely clear to me what your issue is (what is "last address"), but I think you're still having issues with switched capture. As you are now hopefully capturing from a mirrored port on the switch that's connected to your internet access device, and the mirrored port should be the port used for internet access. Then, every packet transmitted to and from the internet will be mirrored onto the capture port. You can simply test this by running ping 8.8.8.8 (Google DNS) on one of the other machines and ensuring you can capture both the ping request and reply. Once you have this working, then you can test accessing a web site.
grahamb
Thanks for reply. Yes, I successful setup the device and I can capture all my network point in the network. What I ask is I can see my source IP (Example 192.168.0.100 is one of my network PC) and destination IP (Example 72.52.228.152). On this point, I only can see the destination IP and this IP belong to www.cfwebserver.com. This site host a lot of website domain and mail server. How may I know that my 192.168.0.100 actually visit to which website? Thanks.
As the mirror of the internet port will be showing traffic from all the network PC's, you can add a capture filter to limit the capture to just the PC you're interested in. In the capture options dialog add a capture filter of the form
host 192.168.0.100adjusting the ip address as required. If you then only need to see traffic between that network PC and a single website you can extend the filter to include the website address, e.g.host 192.168.0.100 & host 72.52.228.152.