This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ok, I am new to Wireshark so I am still learning...

The problem I am having is:

I start Wireshark and a gazillion lines appear - but it is only a few of the IP addresses on the network (maybe 10 IPs out of 1300!). I have tried changing the filter to TCP & HTTP and I still only see a few IPs, what am I doing wrong?

asked 07 Dec '11, 07:32

clivethrust's gravatar image

clivethrust
1111
accept rate: 0%


If you really have that many IP addresses to monitor, I'm going to assume that your network is mostly switched. You should check where in the network you are capturing from. It sounds like you have a small portion of the network on a hub or otherwise broadcast to a small group. You probably have something like this:

YOU ------+HUB+-----+SWITCH+----{The rest of the network}
           +++
           |||
COMPUTER---+|+---COMPUTER
COMPUTER----+

With this setup, you'll capture traffic for a small number of machines in the larger network. You should review your network topology to see if there would be a better place to capture traffic than where you are now. Check the Capture Setup article for some more information.

permanent link

answered 07 Dec '11, 08:14

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

I have connected the PC direct to the main switch and all traffic flows through this!

PC ---- switch ----- ALL IPs (only some visible)

This is a rural internet service from the PC I am able to connect to all the Motorola canopy equipment and I can trace (ping etc..) all customers static IP.

Fiber --- switch --- Backhaul --- Backhaul --- switch --- star BH | | PC

(07 Dec '11, 10:41) clivethrust

In that case, I suggest you check to see if your main switch will support spanning or mirroring to that port. I would heartily recommend against using Wireshark directly to monitor the volume of traffic that is certainly going over that switch. Check the Switched Ethernet section as Guy suggests.

Can I ask why you need to monitor all of this traffic? I suspect you could diagnose problematic network behavior more easily somewhere else in the topology.

(07 Dec '11, 11:57) multipleinte...

If the machine running Wireshark is plugged into a switch, there is no guarantee whatsoever that it will see all the traffic flowing through the switch; see the "Switched Ethernet" section of the "CaptureSetup/Ethernet" page of the Wireshark Wiki.

permanent link

answered 07 Dec '11, 11:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×178

question asked: 07 Dec '11, 07:32

question was seen: 3,159 times

last updated: 07 Dec '11, 11:57

p​o​w​e​r​e​d by O​S​Q​A