I want to capture and display the UDP traffic on a certain port using I have two computers both running CentOS 7. I built from sources latest Wireshark 2.2.6 following the tutorial here: http://blog.jeffli.me/blog/2016/08/14/build-latest-wireshark-in-centos-7/ I installed the resulting RPMs on both computers. After that I ran (as root) the following
Then I ran the following on computer A (that's my desktop computer, running CentOS 7 in graphical mode):
That's exactly what I need. Now.. I did exactly the same test on computer B (this is the remote computer running CentOS 7 in text mode), just the IP is different there.
I'm using the same I have no idea what could cause this different behavior of computer A vs B. What could prevent [Edit] I shared one capture from each computer below so you can compare them: Computer A : https://goo.gl/kAyOrr Computer B : https://goo.gl/Cuu8I9 I made the captures by running the following line on each computer:
Then I sent two test messages on each computer:
asked 24 Apr '17, 23:52 ciprian edited 25 Apr '17, 05:14 |
2 Answers:
Try enabling the data dissector's preference to show the data as text:
answered 25 Apr '17, 08:15 cmaynard ♦♦ Excelent! That (25 Apr '17, 11:33) ciprian 1 Great! By the way, if you don't want to have to specify that option on the command-line each time, you can permanently set it in Wireshark via (25 Apr '17, 11:39) cmaynard ♦♦ There is no graphical interface on the remote Linux host. But I'm fine with specifying that option in the command. (26 Apr '17, 02:04) ciprian Well, you can also change it by directly editing the Wireshark I only mention this for the benefit of anyone who might not necessarily want to specify extra options on the command-line. (26 Apr '17, 07:36) cmaynard ♦♦ |
Both captures display the data for me, but as I'm using a single version of wireshark for both captures, this leads me even more strongly to think that there is something different about the setup on computer B. Have you tried using computer B to display the capture from computer A, e.g. If this still doesn't display the data text, then either the application or the preferences must be different on B. answered 25 Apr '17, 06:10 grahamb ♦ I ran the suggested command four times, two times on each of the two computers A and B, using alternatively both .pcap files. data.text was never displayed, no matter the computer or pcap file. And where to look for those preferences? I have exactly the same wireshark version on both computers. (25 Apr '17, 06:26) ciprian Try letting tshark show the complete info to see what it is being dissected as:
(25 Apr '17, 06:44) grahamb ♦ |
The data.text field is usually populated when no dissector can actually dissect the packet as a "fallback". It's possible that the host that doesn't display the message is dissecting it as something else, maybe down to a differetn preference.
Can you share captures from host A & B in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?
I edited my question as you suggested and I added the captured files.