Professional Documents
Culture Documents
The experience capturing your first packets can range from "it simply works" to "very strange problems". To avoid
annoyances, the following gives you a step-by-step guide through this process.
The steps in this guide depend on each other to avoid combinations of problems which are hard to track down as a
whole.
For this reason it's a very good idea to follow this guide literally step-by-step (don't start to read in the middle)!!!
Contents
In this step: Make sure you're allowed to do what you're going to do!
Ensure that you are allowed to capture packets from the network you are working on! For example,
corporate policies or applicable law might prevent you from capturing on the network you're using!
If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network
administrators and other people are usually not amused with re-arrangements to "their" network.
In this step: Setup the machine's configuration to be able and allowed to capture.
/CapturePrivileges - you must have sufficient privileges to capture packets, e.g. special privileges allowing
capturing as a normal user (preferred) or root / Administrator privileges
/CaptureSupport - your operating system must support packet capturing, e.g. capture support is enabled / a capture
driver is installed
User's Guide about Time Zones your computer's time and time zone settings should be correct, so the time stamps
captured are meaningful
Step 3: Capture traffic "sent to" and "sent from" your local machine
In this step: Capturing "your own local traffic" is the easiest way to successfully capture your first traffic.
The traffic to and from your local machine is obviously available independent of your network topology, so you don't
need to worry about the topology for now.
Choose the right interface to capture from (see /NetworkInterfaces) and start a capture. To avoid any side effects, don't
use any shiny features like capture filters or multiple files for now.
At least after stopping the capture you should see some network traffic now!
Have a look at the captured packets and make sure you have captured both incoming and outgoing traffic before going
to the next step!
Troubleshooting:
If you still experience a problem after checking the above you may try to figure out if it's a Wireshark or a driver
problem. Try to capture using TcpDump / WinDump - if that's working, it's a Wireshark problem - if not it's related to
libpcap / WinPcap or the network card driver.
Step 4: Capture traffic destined for machines other than your own
In this step: Capture traffic that is not intended for your local machine.
Make sure you capture from a location in the network where all relevant traffic will pass through:
/NetworkTopology - choose the right place in your network topology in order to get the required network traffic.
/NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specific limitations
Promiscuous mode - must be switched on (this may not work with some WLAN cards on Win32!)
In this step: Don't use your local machine to capture traffic as in the previous steps but use a remote machine to do so.
/Pipes - using a UNIX pipe and use a different tool to capture from
/WinPcapRemote - using [WinPcap]'s remote capturing feature (rpcapd)
RMON - use SNMP's RMON to capture - currently not supported ("Remote Packet Capture Using RMON" explains
why it doesn't work well)
Of course, you can use Wireshark installed on a remote machine in combination with a remote control software (e.g.
VNC, Windows Remote Desktop, ...).
See Also
CategoryHowTo
https://wiki.wireshark.org/CaptureSetup 2/3
5/1/2018 CaptureSetup - The Wireshark Wiki
https://wiki.wireshark.org/CaptureSetup 3/3