How To Set Up a Capture

The experience capturing your first packets can range from "it simply works" to "very strange problems". To avoid annoyances, the following gives you a step-by-step guide through this process.

The steps in this guide depend on each other to avoid combinations of problems which are hard to track down as a whole.

For this reason it's a very good idea to follow this guide literally step-by-step (don't start to read in the middle)!!!

Step 1: Are you allowed to do this?

In this step: Make sure you're allowed to do what you're going to do!

Step 2: General Setup

Make sure you've thought about step 1!

In this step: Setup the machine's configuration to be able and allowed to capture.

Step 3: Capture traffic "sent to" and "sent from" your local machine

Make sure you've finished step 2!

In this step: Capturing "your own local traffic" is the easiest way to successfully capture your first traffic.

The traffic to and from your local machine is obviously available independent of your network topology, so you don't need to worry about the topology for now.

Choose the right interface to capture from (see /NetworkInterfaces) and start a capture. To avoid any side effects, don't use any shiny features like capture filters or multiple files for now.

At least after stopping the capture you should see some network traffic now!

Have a look at the captured packets and make sure you have captured both incoming and outgoing traffic before going to the next step!

Troubleshooting:

If you still experience a problem after checking the above you may try to figure out if it's a Wireshark or a driver problem. Try to capture using TcpDump / WinDump - if that's working, it's a Wireshark problem - if not it's related to libpcap / WinPcap or the network card driver.

Step 4: Capture traffic destined for machines other than your own

Make sure you've finished step 3 successfully!

In this step: Capture traffic that is not intended for your local machine.

Make sure you capture from a location in the network where all relevant traffic will pass through:

Step 5: Capture traffic using a remote machine

Make sure you've finished step 4 successfully!

In this step: Don't use your local machine to capture traffic as in the previous steps but use a remote machine to do so.

Remote Capturing is currently very limited:

Of course, you can use Wireshark installed on a remote machine in combination with a remote control software (e.g. VNC, Windows Remote Desktop, ...).

XXX - explain special capture filter strings relevant to remote capturing!

See Also


CaptureSetup (last edited 2013-06-05 17:04:56 by GuyHarris)