How To Set Up a Capture
The experience capturing your first packets can range from "it simply works" to "very strange problems". To avoid annoyances, the following gives you a step-by-step guide through this process.
The steps in this guide depend on each other to avoid combinations of problems which are hard to track down as a whole.
For this reason it's a very good idea to follow this guide literally step-by-step (don't start to read in the middle)!!!
Step 1: Are you allowed to do this?
In this step: Make sure you're allowed to do what you're going to do!
Ensure that you are allowed to capture packets from the network you are working on! For example, corporate policies or applicable law might prevent you from capturing on the network you're using!
If you have to change network cabling to start a capture, ensure that you are allowed to do so! Network administrators and other people are usually not amused with re-arrangements to "their" network.
Step 2: General Setup
Make sure you've thought about step 1!
In this step: Setup the machine's configuration to be able and allowed to capture.
/CaptureSupport - your operating system must support packet capturing, e.g. capture support is enabled / a capture driver is installed
/CapturePrivileges - you must have sufficient privileges to capture packets, e.g. special privileges allowing capturing as a normal user (preferred) or root / Administrator privileges
User's Guide about Time Zones your computer's time and time zone settings should be correct, so the time stamps captured are meaningful
Step 3: Capture traffic "sent to" and "sent from" your local machine
Make sure you've finished step 2!
In this step: Capturing "your own local traffic" is the easiest way to successfully capture your first traffic.
The traffic to and from your local machine is obviously available independent of your network topology, so you don't need to worry about the topology for now.
Choose the right interface to capture from (see /NetworkInterfaces) and start a capture. To avoid any side effects, don't use any shiny features like capture filters or multiple files for now.
At least after stopping the capture you should see some network traffic now!
Have a look at the captured packets and make sure you have captured both incoming and outgoing traffic before going to the next step!
/NetworkInterfaces - make sure that you've selected the right interface
Promiscuous mode - try both on or off, whatever works
/InterferingSoftware - low level networking software (e.g. VPN / (personal) firewall software) may cause trouble
/Offloading - how your NIC might skew your capture
no traffic - make sure you don't capture on a "silent" network with no traffic on it (if you really don't have any traffic: using an internet radio is a simple traffic generator)
Performance - what you can do if packet drops occur
If you still experience a problem after checking the above you may try to figure out if it's a Wireshark or a driver problem. Try to capture using TcpDump / WinDump - if that's working, it's a Wireshark problem - if not it's related to libpcap / WinPcap or the network card driver.
Step 4: Capture traffic destined for machines other than your own
Make sure you've finished step 3 successfully!
In this step: Capture traffic that is not intended for your local machine.
Make sure you capture from a location in the network where all relevant traffic will pass through:
/NetworkTopology - choose the right place in your network topology in order to get the required network traffic.
Promiscuous mode - must be switched on (this may not work with some WLAN cards on Win32!)
Step 5: Capture traffic using a remote machine
Make sure you've finished step 4 successfully!
In this step: Don't use your local machine to capture traffic as in the previous steps but use a remote machine to do so.
Remote Capturing is currently very limited:
/Pipes - using a UNIX pipe and use a different tool to capture from
RMON - use SNMP's RMON to capture - currently not supported ("Remote Packet Capture Using RMON" explains why it doesn't work well)
Of course, you can use Wireshark installed on a remote machine in combination with a remote control software (e.g. VNC, Windows Remote Desktop, ...).
XXX - explain special capture filter strings relevant to remote capturing!