I am using a machine which is connected through LAN. If i will install Wireshark on my machine, will it capture the Network traffic of the entire network connected to the LAN? or it is only specific to the machine where it is installed. Thanks, Smruti asked 03 Sep '12, 22:28  Smruti Ranja... edited 04 Sep '12, 04:09  grahamb ♦ |
2 Answers:
It might. It depends on exactly what your LAN cable connects to on the other end and if your network card (and drivers) can be set into promiscuous mode. If it's a port on a switch then you'll only see your own traffic, and broadcast traffic from the LAN. If it's a hub then you should see all LAN traffic. See the Capture Setup page (and the other associated pages) on the wiki for more info. answered 04 Sep '12, 02:04 grahamb ♦ |
In all likelihood, it will only see traffic your machine is participating in, or which is broadcast to all machines. The reason for this is that for years, most LANs have been built based on switched Ethernet technology, as opposed to hub-based Ethernet or bus-based networking. In those older technologies, every machine on the LAN saw all traffic, purely because they were all electrically connected to each other. With switched Ethernet, the switch makes decisions about which packets to send to which ports. This makes the network faster and slightly more secure. (Switched Ethernet isn't a very good security measure, because it's easy to defeat with ARP poisoning.) Now, maybe it is possible you are still on a hub-based Ethernet, or similar. That can only be the case with 100 Mbit/s and slower networks. Part of the Gigabit Ethernet spec is a requirement for switches. You won't find a GigE hub. I should also note that wireless networking effectively behaves like LANs of old: every machine connected to a given Wi-Fi network can see all traffic, purely due to the nature of radio communication. If you are on a wired LAN with managed switches and you have administrative access to those switches, you will probably find a feature you can enable in them called port mirroring. That feature exists specifically to restore the older pre-switched LAN behavior: it designates one port as special, directing copies of all traffic to it, even packets not aimed at MAC addresses connected to that port. answered 04 Sep '12, 02:12  Warren Young edited 04 Sep '12, 02:14 |
Thanks for your response. Then i can conclude that the tool will only capture the traffic specific to a single machine where it is installed. And it will also capture the interaction of the machine with other machine over the network though more number of machines are placed in the same LAN.
Please correct me if i am wrong.
I covered this above. If you have switched Ethernet and they're dumb switches or they're managed by you don't have admin access, and you can't trick other machines into talking through you in MitM fashion with ARP poisoning....then yes. You should read those Wikipedia articles I linked to. It will clear up even more of this.
Thanks for the info..
yes.. thanks for the valuable time u have spent.