This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have data captured from the WAN port of my router. is it possible to filter the data based on the MAC addresses of the computers using the router? is that information present in the packet? obviously, all the packets now have the MAC of the router itself.

asked 06 Mar '12, 06:37

gamba's gravatar image

gamba
6335
accept rate: 0%


No, the MAC address of a computer on the LAN side of the router is not present in the packets on the WAN side. If your router is doing NAT, then the LAN side IP address is not present either.

Some port-mirroring switches will allow you to mirror multiple source ports to a single destination port, so you could consider mirroring all the LAN ports to your Wireshark port, instead of the WAN port.

Obviously if you mirror four source ports to a single destination port, you can overwhelm the destination port if all of the source ports are passing traffic at or near their maximum rate, but this may not be a problem, depending on the traffic levels in your LAN. You could also mirror one LAN port at a time, and then change the mirroring as needed, although this will not allow simultaneous capture from all the LAN PCs.

Using this setup, you will capture local LAN traffic as well as traffic to and from the Internet, but you could filter on the router's MAC address to limit the capture, or display, to only traffic to or from the Internet.

This will show you all traffic through the router, but it will not show traffic arriving on the WAN side that gets dropped by the router, which may be the case if your router has firewall capabilities.

permanent link

answered 06 Mar '12, 09:51

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

No, it's not present in the packet; you'd have to capture on the LAN side of the router, or filter based on the IP (or other network-layer) address.

permanent link

answered 06 Mar '12, 09:48

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Router is a Layer 3 it would only pass IP packets and would not pass any Layer 2 info(MAC) on the other side (WAN-to-LAN).

permanent link

answered 07 Mar '12, 05:12

pfu's gravatar image

pfu
1
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×58
×40
×36

question asked: 06 Mar '12, 06:37

question was seen: 6,907 times

last updated: 07 Mar '12, 05:12

p​o​w​e​r​e​d by O​S​Q​A