I am trying to use Wireshark to monitor our internet usage. We have been maxing out on our bandwidth and I want to work out who is using it and why. If it's valid we need to upgrade our internet pipe if not I need to stop the problem.
So I setup Wireshark on a spare Windows 7 machine that has two network cards. And setup Port mirroring (RA and TX) on my Switch (Netgear GS748T). This mirrors the port connected to the Internet router to the port connected to the Wireshark PC.
But after a few minutes of running Wireshark all users on the switch loose internet connectivity. I can no longer ping my internet router. I have to stop and exit Wireshark to get internet connectivity back.
I have set Wireshark to use Promisculous mode.
What am I doing wrong?
BTW. I have setup Microsoft Network Monitor 3.4 on the same machine using the same Port Mirroring and works without any problems. But I don't like using it. Its too difficult to get the info I need. Wireshark is much nicer to use. I don't run Wireshark and Network Monitor 3.4 at the same time.
asked 08 Feb '12, 02:44
Well I removed all the protocols from the network adapter and I didn't have any problems this morning.
I will switch off DNS lookups also as it's not essential. Just makes it easier to read.
answered 09 Feb '12, 07:09
I doubt if the network settings are causing the problem as you say you can use the same machine with Netmon without a problem and you also say that when you stop Wireshark, but leave the Wireshark PC connected, the problem goes away.
This means Wireshark itself seems to do something that is frustrating all other traffic. Wireshark is capturing passively, so it should not be a problem. The only thing Wireshark will do on the network is perform (a lot of) reverse DNS lookups. Maybe that is causing your issue. You can disable name resolution (for the network layer) and see if that helps.
answered 08 Feb '12, 10:06