This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

wireshark not seeing packets

0

First off I only use wireless so when selecting the network card there is only one that has traffic on it (pretty sure Im not selecting the wrong one with such limited options).
Next I will fill in a filter options (usually by port):

tcp.port == 23

Then I use the terminal (Mac 10.8) to open a telnet session

But I see no traffic. If I turn off the filter I see traffic but no way to see (if they are there) my telnet traffic

This has to be a setting, I have had this working prior, and have similar problems when filtering for other traffic/ports.

alt text

dumpcap:

  1. en0 fe80::1240:f3ff:fe7f:d754,172.16.16.107 network
  2. utun0 10.2.201.228 network
  3. p2p0 network
  4. en2 fe80::1240:f3ff:fe7f:d754 network
  5. lo0 fe80::1,127.0.0.1,::1 loopback

UPDATE: Just tried this on my windows box and it worked fine.

I was wrong and do still need this. I dont understand whats wrong, default install and not seeing but a few packet types.

asked 21 Nov '12, 12:40

owengerig's gravatar image

owengerig
1123
accept rate: 100%

edited 27 Nov '12, 10:47

do you telnet your own machine (where wireshark is running) or a different one?

(21 Nov '12, 12:47) Kurt Knochner ♦

telneting from my machine to another machine

(21 Nov '12, 12:55) owengerig

if you ping the remote machine, do you see that in Wireshark?

(21 Nov '12, 13:21) Kurt Knochner ♦

I dont think so but Im not sure how to filter ping traffic? I tried ip.addr == 127.0.0.1 with a continuous ping (to the 127 address) and NOTHING showed up.

(25 Nov '12, 08:10) owengerig

if you ping localhost (127.0.0.1), you will only see that if you capture on the loopback interface (lo). At least on linux it works that way.

But why did you ping the localhost address and not the remote address??

(25 Nov '12, 09:10) Kurt Knochner ♦

i used the filter for the remote ip (ip.addr == 10.8.30.141) and did the continuous ping but did not see anything.

(26 Nov '12, 07:05) owengerig
showing 5 of 6 show 1 more comments

3 Answers:

0

I double clicked on the adapter en0

this brought up a menu I havnt seen before and it let me uncheck Monitor Mode (which changes Link-Layer header type from: 802.11 plus radiotap header to Ethernet)

after changing those options you have to click Start.

after that everything worked (saw my packets).

Here is why this is strange though. I went into preferences and made sure Monitor Mode was off and that ethernet was selected for the link-layer header type (even now its set to that). However when ever starting a new session with the Caption Options button it seems to enable Monitor Mode and other link-layer header type by default. So my settings were negated by using the Capture Options start method.

answered 27 Nov '12, 11:12

owengerig's gravatar image

owengerig
1123
accept rate: 100%

edited 27 Nov '12, 11:13

0

Have a look at the capture options before you start your capture. Chances are that (based on the DISPLAY environment variable) a capture filter is set against your hosts traffic. Simply remove the capture filter and start the capture.

answered 22 Nov '12, 04:16

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I posted an image of my filters but still a little confused as to which one should be deleted? I have not added anything in here so these should be defaults. Which ones can/should I delete? Like I said these are defaults so I dont think I really need any of them?

(25 Nov '12, 07:58) owengerig

I have since reinstalled wireshark and most of those are gone. still not working though

(26 Nov '12, 07:12) owengerig

0

i used the filter for the remote ip (ip.addr == 10.8.30.141) and did the continuous ping but did not see anything.

O.K. then you are (most certainly) capturing on the wrong interface. What is the output of the following command:

dumpcap -D -M

Regards
Kurt

answered 26 Nov '12, 08:29

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I type that in the terminal correct? I get nothing back. And if I capture on all devices I still get nothing (from the ping test)

(26 Nov '12, 09:57) owengerig

Yes, in the terminal. No output at all? Did you try to run it with sudo?

sudo dumpcap -D -M

(26 Nov '12, 10:15) Kurt Knochner ♦

Sorry didnt think to do sudo, see update for results.

(26 Nov '12, 10:38) owengerig

O.K. so, did you capture on en0?

(26 Nov '12, 11:59) Kurt Knochner ♦

yes and still nothing. Regardless of wether Im doing telnet or ping (10.8.30.141). With the filter ip.addr == 10.8.30.141

(26 Nov '12, 12:15) owengerig

o.k. something different. run tshark with sudo:

sudo tshark -ni en0 host 10.8.30.141

Then ping/telnet your host 10.8.30.141 in a second window. Do you see anything? If yes, try it without sudo. If that does not work, it's probably a privilege problem.

Then try to run Wireshark with sudo:

sudo wireshark -ni en0 host 10.8.30.141

Do you now see something?

BTW: Just by chance. There is a utun0 interface. You are not trying to ping something through a VPN tunnel, are you?

(26 Nov '12, 12:49) Kurt Knochner ♦

I have monitor and promiscuous modes enabled (try disabling them but it didnt help). is this normal though?

(27 Nov '12, 11:03) owengerig
showing 5 of 7 show 2 more comments