Ok, I am new to Wireshark so I am still learning... The problem I am having is: I start Wireshark and a gazillion lines appear - but it is only a few of the IP addresses on the network (maybe 10 IPs out of 1300!). I have tried changing the filter to TCP & HTTP and I still only see a few IPs, what am I doing wrong? asked 07 Dec '11, 07:32 clivethrust |
2 Answers:
If you really have that many IP addresses to monitor, I'm going to assume that your network is mostly switched. You should check where in the network you are capturing from. It sounds like you have a small portion of the network on a hub or otherwise broadcast to a small group. You probably have something like this:
With this setup, you'll capture traffic for a small number of machines in the larger network. You should review your network topology to see if there would be a better place to capture traffic than where you are now. Check the Capture Setup article for some more information. answered 07 Dec '11, 08:14 multipleinte... |
If the machine running Wireshark is plugged into a switch, there is no guarantee whatsoever that it will see all the traffic flowing through the switch; see the "Switched Ethernet" section of the "CaptureSetup/Ethernet" page of the Wireshark Wiki. answered 07 Dec '11, 11:30 Guy Harris ♦♦ |
I have connected the PC direct to the main switch and all traffic flows through this!
PC ---- switch ----- ALL IPs (only some visible)
This is a rural internet service from the PC I am able to connect to all the Motorola canopy equipment and I can trace (ping etc..) all customers static IP.
Fiber --- switch --- Backhaul --- Backhaul --- switch --- star BH | | PC
In that case, I suggest you check to see if your main switch will support spanning or mirroring to that port. I would heartily recommend against using Wireshark directly to monitor the volume of traffic that is certainly going over that switch. Check the Switched Ethernet section as Guy suggests.
Can I ask why you need to monitor all of this traffic? I suspect you could diagnose problematic network behavior more easily somewhere else in the topology.