This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

all packets

0

are there packets wireshark will not capture? I am trying to watch a link between my router and a destination server but I do not see the traffic. I seem to see quite a bit of traffic but not to the server the router is supposed to be sending to.

asked 11 Oct '12, 17:55

wrcooke's gravatar image

wrcooke
1222
accept rate: 0%

You've got to be a little more specific than this...

(11 Oct '12, 23:13) Jaap ♦

I wish I could be vastly more specific but I see the app running on the router talking to a server but wireshark does not see that conversation. This is why I ask if there are packet types wireshark cannot capture.

(12 Oct '12, 03:55) wrcooke

Do you mean you don't see any packets on wireshark? Are you capturing on correct interface? And what is this app you're talking about?

(12 Oct '12, 04:03) rakki

This is most likely a problem related to how the capture setup is done, so you should tell us how you are capturing the data. If you're just attached to the router, and the server has it's own line, you'll not see much of their communication since it is switched.

(12 Oct '12, 04:28) Jasper ♦♦

I might be wrong about this, so someone please correct me if I am, but since Wireshark capture naturally runs above the kernel it can't capture packets that don't appear at higher levels. This may be due to driver or something that maybe filters or redirects the packets. Could this possibly be the problem in your case?

(16 Oct '12, 22:30) SidR

One Answer:

0

but since Wireshark capture naturally runs above the kernel it can't capture packets that don't appear at higher levels.

Wireshark itself runs "above" the kernel (in userspace), but it has a direct "link" to the kernel via libpcap/winpcap (dumpcap) and thus it will get all packets from the kernel, no matter which protocol level. However, there might be "interfering" software installed on the capturing device, that filters packets before they are handed over to libpcap/winpcap.

http://wiki.wireshark.org/CaptureSetup/InterferingSoftware

According to the description of the OP, I think the Capture Setup is not correct.

http://wiki.wireshark.org/CaptureSetup/Ethernet

Regards
Kurt

answered 17 Oct '12, 10:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%