I have data captured from the WAN port of my router. is it possible to filter the data based on the MAC addresses of the computers using the router? is that information present in the packet? obviously, all the packets now have the MAC of the router itself.
asked 06 Mar '12, 06:37
No, the MAC address of a computer on the LAN side of the router is not present in the packets on the WAN side. If your router is doing NAT, then the LAN side IP address is not present either.
Some port-mirroring switches will allow you to mirror multiple source ports to a single destination port, so you could consider mirroring all the LAN ports to your Wireshark port, instead of the WAN port.
Obviously if you mirror four source ports to a single destination port, you can overwhelm the destination port if all of the source ports are passing traffic at or near their maximum rate, but this may not be a problem, depending on the traffic levels in your LAN. You could also mirror one LAN port at a time, and then change the mirroring as needed, although this will not allow simultaneous capture from all the LAN PCs.
Using this setup, you will capture local LAN traffic as well as traffic to and from the Internet, but you could filter on the router's MAC address to limit the capture, or display, to only traffic to or from the Internet.
This will show you all traffic through the router, but it will not show traffic arriving on the WAN side that gets dropped by the router, which may be the case if your router has firewall capabilities.
answered 06 Mar '12, 09:51
No, it's not present in the packet; you'd have to capture on the LAN side of the router, or filter based on the IP (or other network-layer) address.
answered 06 Mar '12, 09:48
Guy Harris ♦♦
Router is a Layer 3 it would only pass IP packets and would not pass any Layer 2 info(MAC) on the other side (WAN-to-LAN).
answered 07 Mar '12, 05:12