This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

[beginner]capture remote distant

Hi,

I work on WireShark on Windows 7 Pro.

How do I make precisely to capture all the packages passing in transit of a distant machine A of ip v4 XXX.XXX.XXX.XXX towards a distant machine B of ip v4 YYY.YYY.YYY.YYY, knowing that these 2 machines do not belong to the local area network but are very distant on the internet network?

Thanks

#velvet

asked 22 Aug '16, 15:50

Tercyanos
6●2●2●3
accept rate: 0%

One Answer:

If you have in mind that the traffic between A and B transits through your machine, and you want to capture only that traffic, use a capture filter host XXX.XXX.XXX.XXX and host YYY.YYY.YYY.YYY. If you want to capture all traffic and only show just the traffic between the A and B, use no capture filter and apply a display filter ip.addr == XXX.XXX.XXX.XXX and ip.addr == YYY.YYY.YYY.YYY.

If there is a NAT between the machine on which you capture and the internet, you'll need to change the capture filter to host XXX.XXX.XXX.XXX or host YYY.YYY.YYY.YYY, meaning that you would capture also traffic running between your machine and A or B which is not transited between them.

If the machines A and B have private addresses and there is a NAT in front of each of them, you'll need to use the public side addresses of the NATs in the capture filter.

If the traffic between them doesn't transit through your PC, and you don't have access to a machine on the path between then (including any of the two machines themselves), you are out of luck.

answered 23 Aug '16, 06:32

sindy
6.0k●4●8●51
accept rate: 24%