Hi I've just started using wireshark and don't know what i'm doing!! I need to capture all traffic on our LAN going to a single ip address so that I can find individual pc's. As soon as I have the ip addresses I can do a lookup in DNS. Is this possible and if so how using the Wireshark GUI? Thanks asked 28 Jun '12, 07:47  xenolith5 |
2 Answers:
http://wiki.wireshark.org/DisplayFilters If I understand correctly, you can use the filter bar at the top of the Wireshark GUI to search for packets travelling to or from a particular ip address. Given an ip address xxx.xxx.xxx.xxx , you would input into the filter: You should get all packets that are travelling to and from that ip address/computer! answered 28 Jun '12, 11:12  Ian |
If you want to capture all traffic going to IPv4 address XXX.XXX.XXX.XXX, use Capture -> Options to start the capture, and specify a capture filter of If you want to capture all traffic going to and coming from that address, use If, however, you want to do a single capture and then look at it to find out traffic coming from multiple different PCs, capture without a capture filter and then use display filters for each of the machines, as Ian suggested. answered 28 Jun '12, 13:45  Guy Harris ♦♦ |
Thanks Ian and Guy, when I try both options I only see traffic from my interface not all lan traffic. In the capture options there is a tick next to promiscuous mode which I thought allowed all packets through. Is this due to routers and switches?
Gavin
Generally, Wireshark can interpret when packets go from a device to a switch/router, but depending on your setup (what device is plugged into which switch, and where is that switch plugged into), you may run into issues where the packets being analyzed by Wireshark appear to only be coming from the switch in between. What is your setup currently?