How to capture packets using wireshark

exl75 · 04-03-2007, 11:46 AM

Ive just installed wireshark on my windows XP machine,and Im trying to capture and analyze a packet.The packet is on a Linux box that I have access to.But,at the same time,I have a copy of the same packet in a pdf document on my XP machine.

1)Is it possible to capture the packet from my XP machine to the linux box using wireshark?
2)How can I get that packet into wireshark?
3)Since I have a copy of the packet in a pdf document,can I save it in a text file and use it with wireshark? or is there a way to save the file in a different extension so that I can use it with wireshark? Im kinda stuck.Please help.

acid_kewpie · 04-03-2007, 12:52 PM

you have an ip packet in a pdf document?? don't think so somehow. i guess you don't appreciate that "packet" is a technical term for a single entity of IP (OSI layer 3) data.

anyway. wireshark can capture any traffic that is passing through, or to or from the machine you are running it on. just start a captre, select the nic and it will capture the data. that data is then "in" wireshark. you can also capture data to a file using tcpdump and then copy that file to another machien running wireshark and load it like you would open any given file.

again, you do NOT have that packet in a pdf document. no way.

exl75 · 04-03-2007, 01:37 PM

Chris,I do have it in a pdf document..proof..here it is:
19:59:32.595590 00:50:56:5c:70:32 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
etc.................

Now,this is the packet that I want to get into wireshark,but it is also on a Linux box.Could you please show me how to tcpdump to a file and then to my machine then I can get it into wireshark.

acid_kewpie · 04-03-2007, 02:02 PM

ok, well that's just weird, wy on earth would you have that? certainly not going to get into a real capture file without typing it all out and then some....

well me aside, you can capture to a file using tcpdump by using the -w optoin to send data to a file rather than to stdout. just read the tcpdump manpage for the specific features you're after to suit your own needs.

alienux · 04-03-2007, 02:07 PM

If you want to capture packets destined for your Linux machine but capture on a Windows machine, you'll need to make sure that those two machines are connected by a hub. Since hubs broadcast all incoming traffic out all other ports, your XP machine will "see" packets destined for the Linux machine and will be able to capture them. Just put wireshark on the XP machine and start a capture and you'll see all traffic to and from all machines connected to the hub.

exl75 · 04-03-2007, 02:09 PM

No,Im not trying to do a live capture.For now,its just getting trying to understand how the whole wireshark,packet capture,and analysis works.Once thats done,I will try to do a live capture and just go from there.

The tcpdump man pages are not helping me out at all....at least so far.

acid_kewpie · 04-03-2007, 04:00 PM

well you need to capture somethign live otherwise you have no data to analyze...

exl75 · 04-03-2007, 04:07 PM

Im using Putty to rsh to the Linux box.I have High Speed Internet connection that Im using.When I start wireshark,log on to the Linux,I can see 2 to 3 packet captures from wireshark.But,only the cable modem(high speed internet) has packet coming thru it.I dont see any packet from the other ones.Ive tried few things here and there,nothing is working,and Im starting to go nut.

alienux · 04-03-2007, 04:41 PM

Quote:

Originally Posted by exl75

But,only the cable modem(high speed internet) has packet coming thru it.I dont see any packet from the other ones.

What are "the other ones?"

exl75 · 04-03-2007, 04:56 PM

There are four of them:
1)Adapter for generic dial up and VPN Capture: IP is grayed out,packets grayed out,and packets per seconds grayed out as well.
2)Motorola surfboard5120 USB Cable Modem: it has an IP address,and packets coming in and out of it.
3)VMWare Virtual Ethernet Adapter: Has an IP addr but no packets coming in and out,the packet column is grayed out.
4)Intel 8255x based Integrated Fast Ethernet: Has an IP addr but no packets coming in and out,also grayed out.

I can capture #2,the Motorola,but thats not the packet that I want.Im suspecting its the #3 VMWare Virtual Ethernet Adapter that I want,but I cant capture any packets there cause there is none coming thru.

acid_kewpie · 04-03-2007, 05:03 PM

well you've never mentioned vmware in all of this... what's the actual topology you're using here?

exl75 · 04-03-2007, 05:14 PM

I installed VMWare longtime ago on my laptop,it has nothing to do with what Im trying to do here.Im connected online via High speed internet and rsh to the Linux box using Putty.Im not using VMWare,its just showing on wireshark for whatever reason.

acid_kewpie · 04-03-2007, 05:20 PM

so why would a vmware virtual nic be relevant? again.. what is your topology? ascii diagram maybe...

exl75 · 04-03-2007, 05:34 PM

Not quite sure why its relevant,but im sure im not using VMWare for anything at this point.Thats what I see when I bring up wireshark and click on capture interface.My topology has to be the Bus,if I have to guess.

LAPTOP------->MOTOROLA(Cable Modem)-------->INTERNET

exl75 · 04-03-2007, 07:41 PM

Has anyone done anything like this before? I cant quite be the first one ever!! I need someone to save me!!!

On my windows XP: wireshark,connect online via cable modem
On a different Network:rsh to a linux box to get network packets.

Now,all I need to do is to have wireshark detect the packet on the Linux box that im rsh-ing to and capture the packets.I can run tcpdump on the linux box,but wireshark is not seeing it at all,and its kinda frustrating I cant figure it out,and no one seems to be able to help.

Or,the other option is to save the packet into a file from the Linux box to my xp machine,then get it into wireshark.Does anyone know how to do that?