This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture Virtual card datas

0

Hello

My OS is XP, I have installed a Pocket PC emulator, and therefore a virtual card.

I want to sniff the traffic between an FTP client, which resides on the emulator, and a ftp server wich is on onother machine.

WireShark is on the emulator's host machine.

I'm able to sniff the traffic from the emulator to the ftp server, but not the return traffic, from the ftp server to the emulator.

Is there a way to do it ?

Thank You

Andre

asked 22 May '11, 09:47

Chantme's gravatar image

Chantme
1111
accept rate: 0%


2 Answers:

1

It seems the "Pocket PC Emulator" created a virtual NIC in such a way that return traffic is directed to the "Emulated Pocket PC" before libpcap sees the traffic. Therefor I don't think it will be possible to capture traffic on your host.

However, you can capture on the FTP server (if it is under your control) or else use a HUB or switch with Span-port and connect your host to it. Then you can use a second system to capture the packets.

See also: http://wiki.wireshark.org/CaptureSetup/Ethernet

answered 23 May '11, 01:17

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

Since the ftp server is on another machine which rules out traffic missing because of localhost transfers you have a strange situation there. You should see both outgoing and incoming packets. If you don't you should check for

  1. capture filters refusing one direction
  2. display filters showing only one direction
  3. more than one network card in your host machine, where the outgoing traffic travels through a different card than the incoming (don't forget wired/wireless cards being in the same network)

answered 22 May '11, 13:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%