PDA

View Full Version : [ubuntu] Wireshark only sees localhost traffic



pcarlos853
October 26th, 2011, 04:12 AM
Hi,

I am trying to use wireshark to troubleshoot a slow lan. However I only see traffic from my computer and not any of the devices on the LAN (I am on wireless). I have been running wireshark as root and monitoring using wlan0. Is there a step that I am missing?

Thanks!
Carlos

docbop
October 26th, 2011, 04:18 AM
Are you on a switch or a hub? A hub will see everything, but a switch won't. These days most devices are switches.

pcarlos853
October 26th, 2011, 04:29 AM
I am on the wifi of a Actiontec mi424wr. I am not sure if that is a switch or hub. I think it would be considered a switch right?

Thanks
Carlos

a2j
October 26th, 2011, 03:51 PM
you are probably on a switched network and will not see anything. are you the admin of that LAN?

NlessKnight
October 27th, 2011, 01:17 AM
I suspect you're actually missing a couple of things.

1. You're on a router (at least, that's what my googling of the 'mi424wr' would suggest.) Part of what a router does is routing traffic, hence the name - effectively, in this scenario, it's acting like a switch, and only directing traffic where it needs to go, vs sending it to all ports. You're only going to see traffic directed at the specific interface on the router you're connected to - the wireless interface, in this case.

2. You're on wireless - double whammy, between this and point 1, in that you're far more prone to interference than on a wired connection. Basically, your card is only going to pay attention to traffic related to the SSID it's associated with - any unrelated traffic, it's going to drop (it's not going to show traffic from other non-associated systems in wireshark, even if traffic/noise generated by them is your problem).

So, you're not really going to be able to see much while sniffing over wifi.

The question, then, becomes what you're trying to troubleshoot - is it a slow wireless network, or a slow network all around? A slow wireless network could be any number of problems - a particularly, electromagnetically speaking, noisy old TV, set of speakers, etc., or potentially bad router placement (in the basement behind a bunch of plumbing, for example, would qualify for this.) Could be your neighbor's wifi, too, interfering with yours - are there any other APs in range?

If it's the network - wireless AND wired - that's slow, then you may wish to do a process of elimination of devices on your network; if your network slows way down after reactivating one particular device, then you may have your issue right there. Otherwise, it may be a matter on Verizon's end (assuming it's Verizon - most search results I found associated this particular device with Verizon FiOS.) Generalized traffic monitoring on your router is not going to be possible, short of enabling a SPAN port (which I doubt the router in question has the capability of) or hooking up a TAP (which likely isn't possible, from what I'm reading about the router.)

docbop
October 28th, 2011, 07:02 AM
If on wireless then you probably want to use airmon-ng and setup a monitor interface, Then you can use airodump-ng to see the various wireless devices around you. You can also use wireshark and capture all the packets the monitor interface sees.