Using Wireshark

[haddod]

Hello. I have installed Wireshark and WinSCP but all I see to capture data on are the Servers two ethernet ports. I am trying to get a handle on adding another interface but in googling around and reading the help file I am still no closer. Can someone coach this old voice guy on how to add the IP Office LAN port to the interfaces traced so I can capture data please?
Thank you in advance,

[sedge]

Hi

With Wireshark installed on your laptop, you will need to have your laptop capturing the data flowing between the IP Office and the Ethernet switch it is connected to.

If you connect your laptop to another Ethernet port on the same switch you will not see data to/from the IP Office [unless it's data specifically going to/from your laptop].

So that Wireshark can "see" the data going to/from the IP Office the Ethernet switch would need to be configured for "port mirroring". This is just as it sounds, data on the Ethernet port the IP Office is connected to is "mirrored" to the port your laptop is connected to.

How to configure "port mirroring" will be specific to the model of Ethernet switch and is usually performed by the IT Administrator of the network.

Another option, which is old and less than ideal is to install an Ethernet "hub" between the IP Office and the Ethernet switch. Then plug your laptop into the hub. A hub has the same data to/from every port. Hubs are difficult to find today and would not be Gigabit speed.

Of course, the connection between the IP Office and Ethernet switch would have to be disconnected to install a hub, another negative.

Port mirroring, as above is what typically needs to be done.

[zakabog]

What kind of data are you trying to capture? There might be a better method of troubleshooting than using Wireshark.

[oiduran]

Could You upload tracert Wireshark?

[thompson109]

How is a message's protocol determined in wireshark?

I am new to wireshark. I started watching one training video but it was long and I am looking for specific answers to questions to help in my coding job.

How is a message packet's protocol determined in wireshark? I have a .pcapng file I have been looking at and at first it seemed that the first three hex digits were the determining factor because they seemed to be unique to a protocol. But this is not the case. Instead they seem to be part of the destnation address.

Thanks in advance.

Also, just to be sure: the hexidesimal representation in the third frame window represents the whole package without anything added or taken away, right? Is this a correct assumption?

the protocols that I am interested in are:
ARP
HTTP
HTTP/JSON
MDNS
NBNS
TCP

I found some documentation online at documentation dot help: https://documentation.help/Wireshark...tml#idp3107168

1.1.6. Many protocol decoders
There are protocol decoders (or dissectors, as they are known in Wireshark) for a great many protocols: see Appendix B, Protocols and Protocol Fields.
Appendix B. Protocols and Protocol Fields
Wireshark distinguishes between protocols (e.g. tcp) and protocol fields (e.g. tcp.port).
A comprehensive list of all protocols and protocol fields can be found at: http://www.wireshark.org/docs/dfref/
And there are lots of protocols listen here

For HTTP and HTTP/JSON the data stream I have from my .pcapng file contains a data backet which starts with a Destination address followed by a Source addrss and then there is something I find interesting. It is:

Type: IPv4 (0x0800)

And that is the same for HTTP as well as HTTP/JSON

So how do I determine the difference from tha packet data.

On the same location, we have (0x0806) for ARP
On the same location, we have (0x0800) for MDNS -- which is the same for HTTP, so this is not the answer
On the same location, we have (0x0800) for NDNS -- which is the same for HTTP, so this is not the answer
On the same location, we have (0x0800) for TCP -- which is the same for HTTP, so this is not the answer

wireshark is open source. So my only other option it seems apart from getting an answer online is to step throught the code.