This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problems filtering by IP Address

0

I am using a mac running 10.6.8 and i am want to use wireshark to see the packet transmission between other devices on the network but i am having problems with this.

my current situation is that i am using ip.addr== 'then my ip address'. If i put my own ip address in i can see all packets that are either sent or received by my ip address. if i apply the same to another ip address, for example an ipad i cant see any tcp , http packets etc... i get a lot of mdns packets and these arent really useful to me. A similar thing happens if i try to put the ip address in of another mac on the same network. I see a lot of 'DropBox Discovery' packets again, not what im after.

is there something that im doing wrong, or not doing at all to mean that this isnt working?

I have also tried doing this on a wired ethernet connection and a wireless connection to the same network.

help please guys?

asked 12 Oct '11, 02:33

Gengisnicky31's gravatar image

Gengisnicky31
1222
accept rate: 0%


One Answer:

0

What you're experiencing is the fact that today's networks are switched networks, not shared like when we were using hubs. Meaning: packets for each communication are only forwarded to the ports the nodes talking with each other are connected to, while all other devices do not get the packets (because they're not meant for them anyway). That is why you only see your own stuff, plus broadcast/multicast like MNDS (Multicast DNS).

This is a pretty common situation when doing network captures. If you want to get around it and capture packets for other devices you need to configure your switch to "copy" the packets to the port Wireshark is on. There are two drawbacks here: your switch needs to manageable and provide a mirror/monitor/SPAN feature, and you might not be able to communicate yourself anymore as soon as you configure your own port to be a monitor port.

answered 12 Oct '11, 02:45

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

that explains a lot really. thanks for your reply. back to the drawing board i think... unless there are any other work arounds that are available/you know about?

(12 Oct '11, 02:58) Gengisnicky31

Well, you can also replace your switch with an old hub, but that will slow your network down. And if you're not on a stand alone switch but one integrated into a router you're more or less out of luck.

There are some not-so-nice techniques to get to packets of other nodes that require tools from the hacking community, for example Cain & Abel. With those you can do ARP cache poisoning and reroute packets to your own node, but this is a) an unfriendly act, and b) not a wise thing to do in network analysis situations because it messes with the network behavior.

(12 Oct '11, 03:03) Jasper ♦♦