I am trying to use Wireshark to monitor our internet usage. We have been maxing out on our bandwidth and I want to work out who is using it and why. If it's valid we need to upgrade our internet pipe if not I need to stop the problem. So I setup Wireshark on a spare Windows 7 machine that has two network cards. And setup Port mirroring (RA and TX) on my Switch (Netgear GS748T). This mirrors the port connected to the Internet router to the port connected to the Wireshark PC. But after a few minutes of running Wireshark all users on the switch loose internet connectivity. I can no longer ping my internet router. I have to stop and exit Wireshark to get internet connectivity back. I have set Wireshark to use Promisculous mode. What am I doing wrong? BTW. I have setup Microsoft Network Monitor 3.4 on the same machine using the same Port Mirroring and works without any problems. But I don't like using it. Its too difficult to get the info I need. Wireshark is much nicer to use. I don't run Wireshark and Network Monitor 3.4 at the same time. Thanks, Mark asked 08 Feb '12, 02:44  marky |
2 Answers:
Well I removed all the protocols from the network adapter and I didn't have any problems this morning. I will switch off DNS lookups also as it's not essential. Just makes it easier to read. Thanks answered 09 Feb '12, 07:09 marky Glad to hear it worked (09 Feb '12, 07:53) Landi |
I doubt if the network settings are causing the problem as you say you can use the same machine with Netmon without a problem and you also say that when you stop Wireshark, but leave the Wireshark PC connected, the problem goes away. This means Wireshark itself seems to do something that is frustrating all other traffic. Wireshark is capturing passively, so it should not be a problem. The only thing Wireshark will do on the network is perform (a lot of) reverse DNS lookups. Maybe that is causing your issue. You can disable name resolution (for the network layer) and see if that helps. answered 08 Feb '12, 10:06  SYN-bit ♦♦ hi can you please tell me how to disable the name resolution (12 Sep '13, 03:17) Paras Watts Edit -> Preferences -> Name Resolution -> uncheck the top three items (12 Sep '13, 03:50) Jasper ♦♦ |
have you unhooked all the protocols like TCP/IP, File sharing etc. in the capturing NICs preferences?
Thanks for the reply.
Do you mean unticked them from the properties of the network adapter within Windows 7?
I have not unticked any of the protocols from the properties of the network adapter.
BTW. It is not just the Wireshark PC that looses contact with our internet router but all users on the network.
Yap, i understood you perfectly but please untick every single protocol from that NIC with which you capture the data from the span port and see if the issue still exists. Please remember to unplug the card before you do so and then attach it to the switch again
OK, Thanks. I will try that in the morning when I only have a few users online.