By Cudmasters Los ·
Just started using wireshark, trying to learn, i have alot of traffic that says who has with an ipaddress, and tell a diffrent ip address. What is that, also, when i am running wire shark, capturing my network card. is it telling me what is going on in the whole network?

your running an 1811 I believe

by CG IT In reply to Wireshark Who Has Tel ...

your SDM should be able to direct syslog messages to a syslog server. if you configure syslog right, you'll see everthing going in and out the WAN interface on your 1800.

if you capture packets from your network card, your only seeing what goes through that network card [interface].

by seanferd In reply to Wireshark Who Has Tel ...

That's the "Who has" business.

Yes, Wireshark can only capture the traffic routed through the device which is running wireshark, on whatever interface you specify.

If you have it installed on a server, all the traffic running through the chosen interface on the server is logged. If all clients connect only to the server through that interface, then all traffic is logged.

You need a good old-fashioned ethernet hub

by robo_dev In reply to ARPing

or use the port-mirroring commands on your ethernet switch to redirect and capture traffic.

But a hub is sooo much simpler.

who has tell

by Cudmasters Los In reply to You need a good old-fashi ...

not sure what you mean by who has. at least 1/2 of the traffic i see is that statement,who has tell but not alwas the same address, at least 20 diffrent ones

also, i saw where i an ip address was queing another computer by the netbios name, so i traced it, found out that the computer(ip) had the printers(netbios) installed as auto-(name). I know i need to turn the printer off from being broadcasted, but What i'm wondering is if that ip is queing that other computer, how am i seeing it, it's going thru may card too?

broadcast traffic goes to all on the wire

by CG IT In reply to who has tell 10 ...

Devices broadcast to find hosts. [A whois broadcast]. That traffic is sent to everyone on the wire. Wireshark is picking up that broadcast traffic. There's lots of other types of traffic going on the network as well [overhead]

To clarify

by robo_dev In reply to broadcast traffic goes to ...

"on the wire" meaning in your broadcast domain.

On an ethernet switch, everything in the same VLAN is one broadcast domain.

It needs to be this way, or devices cannot find each other, so things like the Windows network neighborhood would not work, nor could you browse for a printer.

Note that since it's an Ethernet switch, you only see directed traffic to/from your workstation, but if you install a hub, you can monitor all directed traffic going in/out of all hub ports, which is useful for the Wireshark sniffer.

A wireless LAN works the same way as a hub, so one client can sniff the directed traffic of his/her neighbors.

Broadcast domain and collision domains

by CG IT In reply to To clarify

A switch breaks up a collision domain.Each switchport on a switch is a collision domain. A hub all ports belong to on big collision domain [and domains in this sense are NOT what Microsoft calls a domain or internet domains].

Routers breakup broadcast domains into smaller ones.

Having attended the sales pitches back when switches were first introduced.

by robo_dev In reply to Broadcast domain and coll ...

...and I hate to mention that I helped to install Token Ring switches, back in the day.

lol well the pass the token to talk wasn't bad

by CG IT In reply to Broadcast domain and coll ...

when there wasn't a lot of people on the network... certainly kept collisions to a minimum....

how about 10base2 ??? every once in a while I have to do a field call on 10base2 and basically find out if there's a break ... but that's at places that absolutely positively will not spend any money on anything for believe it or not they complain about the problems.....

