Ask Your Question

Rookie wireshark question

asked 2021-06-22 21:49:48 +0000

updated 2021-06-23 11:54:02 +0000

Hello everyone,

A couple of months ago, I was playing with wireshark. The capture was running smoothly, showing the traffic of my machines, either being TCP or UDP, showing destination IPs, source IPs etc.

I launched it again today, and for some reason it captures only UDP traffic: The captured packets of the screenshot are supposed to be facebook and youtube searches.

I searched the internet but I couldn't find a reason. I even installed the new kali linux 2021.2 .ova file and still had the same results.

Any recommendations and explanations will be gratelly appreciated.

My setup is: 1 windows laptop, 1 windows desktop, 1 kali linux 2021.2 on virtual box, 1 ubuntu 21.1 on virtual box. All connected to the same router via ethernet.

Thank you in advance

edit retag flag offensive close merge delete


Is remote mouse installed? Remote mouse uses UDP ports 2007 and 2008.

BigFatCat gravatar imageBigFatCat ( 2021-06-23 09:08:07 +0000 )edit

All the traffic in your capture is broadcast, have you disabled promiscuous mode on the capture interface?

grahamb gravatar imagegrahamb ( 2021-06-23 09:15:23 +0000 )edit

BigFatCat: Remote Mouse is indeed installed on my laptop. grahamb: It was enabled, I disabled it and is still showing only UDP traffic.

Iason Demertzidis gravatar imageIason Demertzidis ( 2021-06-23 11:55:34 +0000 )edit

You need promiscuous mode enabled to capture traffic not destined for your machine. What is your capture machine connected to, a switch port, a tap or something else?

grahamb gravatar imagegrahamb ( 2021-06-23 13:07:56 +0000 )edit

Some more questions:

  • What machine are the VB VM's on?
  • Can you give a model name for the router? It's likely to be acting as a switch.
  • Which machine(s) traffic are you expecting\hoping to see?
grahamb gravatar imagegrahamb ( 2021-06-23 15:14:43 +0000 )edit

The virtual machines (ubuntu and kali) are on the windows desktop pc. Everything is connected to a D-Link switch. The router is speedport entry 2i.

I installed wireshark on the windows desktop. It shows everything fine, exept the laptop's traffic which still shows only UDP.

The idea is to monitor the traffic from the windows laptop and ubuntu vm, try to find information by sniffing and decrypting the packets, maybe perform a MitM attack, in order to finally find a vulnerability of some sort and infect them with a malware.

Iason Demertzidis gravatar imageIason Demertzidis ( 2021-06-23 15:46:12 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2021-06-23 16:41:12 +0000

grahamb gravatar image

You will only see the broadcast traffic from the laptop as it's a switched network, unless you can set the D-Link switch into monitor or span mode. See the Wiki page on Ethernet Capture for more info.

edit flag offensive delete link more


Thank you very much for your help again!

Iason Demertzidis gravatar imageIason Demertzidis ( 2021-06-25 10:39:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-06-22 21:49:48 +0000

Seen: 124 times

Last updated: Jun 23