5/1/2018 CaptureSetup - The Wireshark Wiki

How To Set Up a Capture

The experience capturing your first packets can range from "it simply works" to "very strange problems". To avoid
annoyances, the following gives you a step-by-step guide through this process.

The steps in this guide depend on each other to avoid combinations of problems which are hard to track down as a
whole.

For this reason it's a very good idea to follow this guide literally step-by-step (don't start to read in the middle)!!!

Contents

1. How To Set Up a Capture

1. Step 1: Are you allowed to do this?
2. Step 2: General Setup
3. Step 3: Capture traffic "sent to" and "sent from" your local
machine
4. Step 4: Capture traffic destined for machines other than your
own
5. Step 5: Capture traffic using a remote machine
6. See Also

Step 1: Are you allowed to do this?

In this step: Make sure you're allowed to do what you're going to do!

Ensure that you are allowed to capture packets from the network you are working on! For example,
corporate policies or applicable law might prevent you from capturing on the network you're using!
If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network
administrators and other people are usually not amused with re-arrangements to "their" network.

Step 2: General Setup

Make sure you've thought about step 1!

In this step: Setup the machine's configuration to be able and allowed to capture.

/CapturePrivileges - you must have sufficient privileges to capture packets, e.g. special privileges allowing
capturing as a normal user (preferred) or root / Administrator privileges
/CaptureSupport - your operating system must support packet capturing, e.g. capture support is enabled / a capture
driver is installed
User's Guide about Time Zones your computer's time and time zone settings should be correct, so the time stamps
captured are meaningful

Step 3: Capture traffic "sent to" and "sent from" your local machine

Make sure you've finished step 2!

In this step: Capturing "your own local traffic" is the easiest way to successfully capture your first traffic.

The traffic to and from your local machine is obviously available independent of your network topology, so you don't
need to worry about the topology for now.

Choose the right interface to capture from (see /NetworkInterfaces) and start a capture. To avoid any side effects, don't
use any shiny features like capture filters or multiple files for now.

At least after stopping the capture you should see some network traffic now!

Have a look at the captured packets and make sure you have captured both incoming and outgoing traffic before going
to the next step!

Troubleshooting:

/NetworkInterfaces - make sure that you've selected the right interface

/NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specific limitations
https://wiki.wireshark.org/CaptureSetup 1/3
5/1/2018 CaptureSetup - The Wireshark Wiki

Promiscuous mode - try both on or off, whatever works

/InterferingSoftware - low level networking software (e.g. VPN / (personal) firewall software) may cause trouble
/Offloading - how your NIC might skew your capture
no traffic - make sure you don't capture on a "silent" network with no traffic on it (if you really don't have any
traffic: using an internet radio is a simple traffic generator)
Performance - what you can do if packet drops occur

If you still experience a problem after checking the above you may try to figure out if it's a Wireshark or a driver
problem. Try to capture using TcpDump / WinDump - if that's working, it's a Wireshark problem - if not it's related to
libpcap / WinPcap or the network card driver.

Step 4: Capture traffic destined for machines other than your own

Make sure you've finished step 3 successfully!

In this step: Capture traffic that is not intended for your local machine.

Make sure you capture from a location in the network where all relevant traffic will pass through:

/NetworkTopology - choose the right place in your network topology in order to get the required network traffic.
/NetworkMedia - there might be network media (/Ethernet, /PPP, ...) specific limitations
Promiscuous mode - must be switched on (this may not work with some WLAN cards on Win32!)

Step 5: Capture traffic using a remote machine

Make sure you've finished step 4 successfully!

In this step: Don't use your local machine to capture traffic as in the previous steps but use a remote machine to do so.

Remote Capturing is currently very limited:

/Pipes - using a UNIX pipe and use a different tool to capture from
/WinPcapRemote - using [WinPcap]'s remote capturing feature (rpcapd)
RMON - use SNMP's RMON to capture - currently not supported ("Remote Packet Capture Using RMON" explains
why it doesn't work well)

Of course, you can use Wireshark installed on a remote machine in combination with a remote control software (e.g.
VNC, Windows Remote Desktop, ...).

XXX - explain special capture filter strings relevant to remote capturing!

See Also

Capturing on Ethernet Networks

Capturing on 802.11 Wireless Networks
Capturing on Token Ring Networks
Capturing on VLAN Protected Networks
Capturing on PPP Networks
Capturing on the Loopback Device
Capturing on Frame Relay Networks
Capturing DOCSIS Traffic
Capturing Bluetooth Traffic
Capturing on ATM Networks
Capturing USB Traffic
Capturing IrDA Traffic
Capturing on Cisco HDLC Networks
Capturing SS7 Traffic

CategoryHowTo

CaptureSetup (last edited 2013-06-05 17:04:56 by GuyHarris)

https://wiki.wireshark.org/CaptureSetup 2/3
5/1/2018 CaptureSetup - The Wireshark Wiki

https://wiki.wireshark.org/CaptureSetup 3/3