CODEWITHSUNDEEP
network-programmingwireshark
shinzou
shinzou

Reputation: 6232

How can Wireshark view all network traffic?

Suppose I run Wireshark on my PC, and I'm connected to a router, how can Wireshark know about all the traffic from that router?

Isn't the router supposed to isolate each client and route only their own data to and from themselves? What actually happens behind the scenes?

Upvotes: 2

Views: 8773

Answers (2)

user862787
user862787

Reputation:

Suppose I run Wireshark on my PC, and I'm connected to a router, how can Wireshark know about all the traffic from that router?

If you have a router that's connected to multiple LANs, then Wireshark, running on a machine connected to one of those LANs, can't know about all the traffic from the router unless the router has been configured to, for traffic that would otherwise not be routed to that LAN, send a copy of the packet on that LAN.

If you're talking about a LAN switch, so that everything plugged into the switch is on the same LAN, the situation is similar - the switch would have to be configured to send copies of traffic to the switch port into which the machine running Wireshark is plugged.

The ability to do that is a common feature in higher-end switches; a port can be configured to be a "mirror port". See the Wireshark Wiki page on Ethernet capture setup for details. I don't know whether any routers provide an equivalent of "port mirroring".

Upvotes: 4

chris01
chris01

Reputation: 12423

The isolation of packets to ports is the functionality of a switch. A hub sends the packets to all ports.

But your router acts also as a switch. You can place a device in front of the router and sniff from there. This device needs to be a hub, a switch with a monitor port or a splitter. Or you can use arp spoofing to manipulate the arp tables of the computers in the network. But that is mostly considered as an attack.

Cheers, Chris

Upvotes: 1

Related Questions