This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hidden Traffic

0

does anybody know if there is traffic that Wireshak can`t capture, I mean, you don't see this traffic in the program.

asked 18 Feb '15, 13:02

Pim's gravatar image

Pim
11334
accept rate: 0%


One Answer:

1

Wireshark can't capture anything....

It uses dumpcap to do the capture for it. How does dumpcap do it? Well, it uses the libpcap library (as applicable for the platform) capabilities to capture traffic.

How does libpcap do it? As said, depending on the platform, it latches on to the network stack and gets its packets from there. This means NDIS5 on Windows, it means (ever more capable) (packet) socket on Un*x like platforms, etc.

So, any traffic that is not passing via a path that libpcap can latch on to cannot be captured.

answered 19 Feb '15, 04:13

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Thanks a lot Jaap but could you give some type of traffic that is not passing via a path that libpcap can latch on? and with this type of traffic in wireshark you don't see anything, no?

(21 Feb '15, 10:35) Pim

Nothing much really. Traffic going directly onto an bus that's not serviced by the network stack come to mind. Eg. traffic on an I2C bus probably won't show up on an interface that libpcap can select. But the relevance of such interface as an network interface is questionable. Still it could be doen given the right hardware. Look at DECT for instance. Not something available in stock network capture, but with the right hardware it can be captured, and readily decoded in Wireshark.

(23 Feb '15, 04:33) Jaap ♦

If the reason for the question is that you think that you ought to see some tarffic that you are not seeing chanses are that there's something wrong with your capture setup or if you are expecting protocol foo but only seeing UDP/TCP that some preference needs tuning. If you try to describe what you think arte missing we might be able to help you further.

(23 Feb '15, 04:57) Anders ♦

He, we're tracking into the wilderness here, into uncharted territories ;) But I guess you're right; @Pim: what did you expect to see?

(23 Feb '15, 08:20) Jaap ♦