Wireshark monitor options

MarkRaats · 06-16-2011, 07:40 AM

Hello,

Ive a server with 2 nics. I can monitor them both so thats not the problem.
What do I want?

If I ping or visit a website at 10.0.0.11 (is the ip address of nic1) I saw it in wireshark
if I ping or visit a website at 192.1.1.101 (is the ip address of nic2) I saw it in wireshark

But
If i ping or visit a website at 10.0.0.12 or at 192.1.1.100 wireshark dont monitor that... how can I monitor the whole IP range like 10.0.0.10 to 10.0.0.15 and 192.1.1.100 to 192.1.1.200 or something like that?

Greets Mark

kbp · 06-16-2011, 07:46 AM

Wireshark doesn't care about the network range, just the interface to watch for traffic on. If you want to see the communication between your machine and a website on the 10.0.0.x network for example, then you'll need wireshark to listen on the interface that the traffic will be sent out - nic1 in this case.

ambrop7 · 06-16-2011, 07:54 AM

You won't see much of other traffic of you use a switch. That's because the switch forwards frames only towards the destination if it know where the destination is. There are multiple ways to achieve what you want:

1. You can monitor the traffic going through a specific cable by running it through two bridged NICs.

For example, if you have a cable between A and B, you can do the following to monitor traffic through that cable:

- Connect two NICs to some system. These NICs should be used for this purpose only.
- Bridge the two NICs:

Code:

brctl addbr br0
brctl addif br0 eth4
brctl addif br0 eth5
ifconfig br0 up
ifconfig eth4 up
ifconfig eth5 up

- Remove the cable between A and B. Instead, connect A to eth4, and B to eth5.
- Run Wireshark on either eth4 or eth5.

2. Similarly, you can get rid of the switch and instead use some computer as a switch - using one network card for one port, and bridge them all as above. Then capture on br0.

3. Do ARP poisoning to make everything go through some host (try ettercap). Doesn't require extra hardware.

4. Use a hub instead of a switch. A hub broadcasts all traffic to all ports, allowing every system connected to the hub to see all frames.

MarkRaats · 06-16-2011, 08:27 AM

Thank you for responding. Ive 2 networks
- 10.0.0.x
- 192.1.1.x

Ive one 'master' Server with a NIC in the 10.0.0.x range (10.0.0.11) and a NIC in the 192.1.1.x range (192.1.1.101)
But its a virtual Server and the 2 networks are also virtual LANs. (using VMware)

So the 'master' server is for monitor the both network environments. So there are no physical network cable's or switches.

ambrop7 · 06-16-2011, 08:55 AM

If I'm getting this right, you have a network (10.0.0.0/24), where 10.0.0.11 is the address on the host's interface, and there are two or more VMs in that network; and you want to see the packets between the two VMs.

I think the problem is that is, when one VM sends a frame to the other, the software-based switch in VMWare forwards it directly to to other VM, and the host never sees it. I've searched if it is possible to make the switch forward all frames to the host, but found nothing.

This can be worked around by bridging manually. This means, instead of having VMWare manage this whole subnet (through a single host NIC, and maybe by running its integrated DHCP and DNS servers), you would use one virtual host NIC per virtual machine, and tell VMWare to not manage those interfaces; that is, not configure IP address and not run DHCP and DNS servers. This will give your host one virtual NIC per VM, without any IP addresses assigned. Then simply bridge all those in the host the usual Linux way (brctl), assign an IP address to the bridge interface, and possibly run a DHCP or DNS server on the bridge interface (e.g. dnsmasq).

Now if one VM sends a frame directly to the other, it will always go through the bridge, and will be caught by running Wireshark on the bridge interface.