This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

This is a question in relation to the following question and answer:

"Q 7.3: Why am I only seeing ARP packets when I try to capture traffic?

A: You're probably on a switched network, and running Wireshark on a machine that's not sending traffic to the switch and not being sent any traffic from other machines on the switch. ARP packets are often broadcast packets, which are sent to all switch ports."

I'm having the exact same problem this guy had but my question is, how exactly do I send traffic to the "switch," while having traffic from other machines being sent back to me?

I'm a total novice when it comes to working with computers, so I hope you'll take it easy on the heavy jargon. Thanks.

asked 05 Nov '11, 11:15

Iapologize's gravatar image

Iapologize
1222
accept rate: 0%


I'm not entirely sure what you're asking here - you "send traffic to the switch" by sending data on the network port attached to the switch, and you "have traffic from other machines ... sent back to [you]" by, well, having those machines send data to you on the network ports they have attached to the switch - so I'll start with an explanation of how a network switch works (focusing on Ethernet and Ethernet switches).

A "network switch" is a network device into which multiple network-connected devices (computers, printers, routers, etc.) are plugged. The "ports" on the switch are the connections into which the devices are plugged.

In Ethernets, for example, the original model was that you had a passive cable into which devices were plugged, and a signal sent by a device would be seen by all other devices connected to the cable. Only one device could use the cable at one time to transmit data; a device that had data to transmit would see whether there was already a signal on the cable from another device transmitting on the cable and, if not, would start transmitting data. If another device was already transmitting data, but that data hadn't yet reached the device that had data to transmit, the two signals would "collide" with each other, and any device listening for a signal would see a signal that looked like garbage. Therefore, any device transmitting data would also listen to the cable to see whether it could "hear" what it was "saying" and, if not, would assume that a collision would occur. If a collision is seen, a transmitting device would stop transmitting and wait a random amount of time (the Ethernet spec, as I remember, says how to choose the "random" amount) and then try again.

In this model, as only one device can use the cable at a time, if the cable could, for example, handle a maximum of 10 million bits (10 megabits) per second, no more than 10 million bits of data per second can be transmitted; if each machine on the network is trying to send 10 million bits of data per second, and there are 10 machines on the network, they will only be able to send, at most, 1 million bits of data per second (and, in reality, less than that).

The original speed for the Ethernet standard was 10 million bits per second; over time, the speed increased to 100 million bits per second, then 1 billion bits (1 gigabit) per seconds, and now 10 billion bits per second.

However, the speed of a network as a whole, if not the speed of an individual device's network connection, can be increased in another way. If, in effect, you could have separate Ethernets between each pair of devices on your network segment, each of those pairs of machines could use close to the full speed of an Ethernet.

That's what a switch does. If, for example, you have 16 devices plugged into the switch, and device 1 is transmitting to device 2 while device 3 is transmitting to device 4, each of those machines can transmit at close to the full speed of the Ethernet technology they're using.

The switch typically "learns" the Ethernet addresses of the devices plugged into its ports; if a device transmits a packet to the Ethernet address of another device, the switch "routes" the packets to the port for that Ethernet address, and not to any other port, so the path to the other port is available for other packets.

For packets that are broadcast on an Ethernet, they are sent to a special Ethernet address, the broadcast address; a broadcast packet is intended to be seen by all machines on an Ethernet segment, so the switch sends it to all ports.

On a non-switched network, as I said above, a signal sent by a device would be seen by all other devices connected to the cable. This means that if you are running a sniffer on a non-switched network, it could sniff all data on the network, even if it's being sent by another machine to yet another machine - if machine 1 is sending data to machine 2, machine 3 can see it. (It might have to put the Ethernet adapter into a special mode, "promiscuous mode", in which it sends to the computer all packets that it sees, even if they're not sent to the broadcast address, the Ethernet address of the adapter, or a "multicast" address the adapter is accepting.)

On a switched network, however, the switch does not arrange that all packets sent to the switch are sent out on all other ports on the switch. This means that if you are running a sniffer on a switched network, the only traffic you will see will be traffic your machine sends, traffic sent to your machine (meaning, in this case, sent to the Ethernet address of your machine's Ethernet adapter), and traffic sent to broadcast or multicast addresses (which are sent to all ports). So, if machine 1 is sending data to machine 2, machine 3 will not see it.

This makes it more difficult to, for example, monitor all traffic on a switched network, or watch traffic on the network to track down problems.

There are a number of solutions for this problem:

  • Some higher-end switches support something given names such as "port mirroring", in which a port on the switch is designated as a special "mirror port", and all traffic passing through the switch, or perhaps just all traffic to or from particular ports on the switch, is copied or "mirrored" and also sent to the mirror port. A machine running a sniffer program could be plugged into that port to watch that traffic.
  • A "tap" could be plugged into the connection between a machine and the switch, and a machine running a sniffer could be plugged into the tap, to watch all traffic to and from that machine.

The Wireshark Wiki has a page that discusses capturing traffic on Ethernets; that page discusses this issue.

So, if you just want to see network traffic, without caring what machines it's going to or from, the best way to do that is to send traffic from the machine running Wireshark (which will cause it to be sent to the switch, if the only network interface on your machine is plugged into that switch) to another machine that'll respond to that traffic (which will cause that machine to send you traffic, which will ultimately get sent to your machine by the switch). For example, open up a Web browser and go to, for example, ask.wireshark.org.

If, however, you're trying to see network traffic on your network that's not traffic to or from your machine, and you're on a switched network, you may have to use one of the techniques described in the Wireshark Wiki page I cited.

permanent link

answered 05 Nov '11, 12:55

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×78

question asked: 05 Nov '11, 11:15

question was seen: 2,499 times

last updated: 05 Nov '11, 12:55

p​o​w​e​r​e​d by O​S​Q​A