Greetings all - hopefully you can help me out because I really don't know much about networking but have something on my network that is eating up a bunch of bandwidth on my ISP (showed up about a month ago - I started getting warnings from my ISP). I think Wireshark can help me figure out what's eating up all the bandwidth but I'm not quite sure how. I'm just looking for info on how to sort internet usage by IP address. I found this thread: that seems to answer the question on how to do that. However, when I run the "Endpoints" summary sorted by IPv4 and look at the "Bytes" column I see 10x - 100x the usage that's reported by my router during the same time interval. The totals on my router are consistent with what I'm seeing from my ISP so that tells me I don't really know what I'm measuring with Wireshark...! Now, I believe that what shows up under the "IPv4 Endpoint" summary could very well contain a lot of traffic that has no effect on my ISP usage. I have several computers on my network, and they use IPv4 to talk, right? So if they're just talking to each other then, indeed, that would not show up on my ISP usage. Do I understand that correctly? If so, how do I use Wireshark to extract only the traffic that counts against my Internet traffic (sorted by IP address, of course)? Alternatively, is there an easier way to accomplish this task? I realize this is probably Networking 101, so thanks in advance! rgames asked 19 Jun '15, 18:13  rgames |
One Answer:
Well, as the other thread explains you need to take a trace on the router to get the statistics of all your internet traffic and then apply the Statistics -> Endpoint method. eth.addr==xx:xx:xx:xx:xx:xx: and (ip or ipv6) Update: Ok, understood: You see more traffic than is being sent/received to/from your ISP. In this case it must be local traffic which you want excluded from the calculation ... A display/capture filter that only Regards Matthias answered 19 Jun '15, 21:56  mrEEde edited 21 Jun '15, 12:35 |
Thanks for the reply!
I'm still confused, though, because I think I'm getting all the traffic - in fact, as I described, Wireshark is showing a lot MORE traffic than is reported by my router or ISP. I understand how to sort by IP address and have done so - again, when I sort by IP I get a lot MORE traffic than reported by my router or ISP.
Maybe this example will help explain where I'm stuck: if I run a capture for 10 minutes and monitor my Internet traffic on my router I get, say, 10 MB of Internet traffic. But if I look at just one IP address in the Wireshark output, say 192.168.1.2, it shows 100 MB of traffic on my network over the same time period. That tells me that Wireshark is measuring a lot of traffic that has nothing to do with my ISP usage.
So, I can see all the devices on my network and the traffic associated with them (I think...!). Further, I know how to sort the output to show the traffic for each.
I need to figure out how to show only the traffic that is counted against my ISP usage.
Thanks again,
rgames
@rgames: I converted your answer to a comment, as that's how this Q&A site works. Please read the FAQ.