THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Rookie wireshark question

  • retag add tags

Hello everyone,

A couple of months ago, I was playing with wireshark. The capture was running smoothly, showing the traffic of my machines, either being TCP or UDP, showing destination IPs, source IPs etc.

I launched it again today, and for some reason it captures only UDP traffic: http://prntscr.com/16chh6m. The captured packets of the screenshot are supposed to be facebook and youtube searches.

I searched the internet but I couldn't find a reason. I even installed the new kali linux 2021.2 .ova file and still had the same results.

Any recommendations and explanations will be gratelly appreciated.

My setup is: 1 windows laptop, 1 windows desktop, 1 kali linux 2021.2 on virtual box, 1 ubuntu 21.1 on virtual box. All connected to the same router via ethernet.

Thank you in advance

Iason Demertzidis's avatar
1
Iason Demertzidis
asked 2021-06-22 21:49:48 +0000, updated 2021-06-23 11:54:02 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is remote mouse installed? Remote mouse uses UDP ports 2007 and 2008.

BigFatCat's avatar BigFatCat (2021-06-23 09:08:07 +0000) edit
more
  • delete

All the traffic in your capture is broadcast, have you disabled promiscuous mode on the capture interface?

grahamb's avatar grahamb (2021-06-23 09:15:23 +0000) edit
more
  • delete

BigFatCat: Remote Mouse is indeed installed on my laptop. grahamb: It was enabled, I disabled it and is still showing only UDP traffic.

Iason Demertzidis's avatar Iason Demertzidis (2021-06-23 11:55:34 +0000) edit
more
  • delete

You need promiscuous mode enabled to capture traffic not destined for your machine. What is your capture machine connected to, a switch port, a tap or something else?

grahamb's avatar grahamb (2021-06-23 13:07:56 +0000) edit
more
  • delete

Some more questions:

  • What machine are the VB VM's on?
  • Can you give a model name for the router? It's likely to be acting as a switch.
  • Which machine(s) traffic are you expecting\hoping to see?
grahamb's avatar grahamb (2021-06-23 15:14:43 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

You will only see the broadcast traffic from the laptop as it's a switched network, unless you can set the D-Link switch into monitor or span mode. See the Wiki page on Ethernet Capture for more info.

grahamb's avatar
23.8k
grahamb
answered 2021-06-23 16:41:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for your help again!

Iason Demertzidis's avatar Iason Demertzidis (2021-06-25 10:39:59 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer