> I have a question that I hope is not to mundane to answer.... I'm
> running Red Hat Linux ver 6.0 and Ethereal 0.7.9. What I am wondering
> is how do I setup ethereal to monitor HTTP or Port 80 from other than my
> own eth0 card i.e. if I wanted to monitor the HTTP traffic of the
> users on my network.
If your "eth0" card supports promiscuous mode (which I suspect most do),
Ethereal should, by default, see *all* traffic on the network segment
into which the card is plugged - it shouldn't make a difference whether
the traffic is coming from, or going to, your machine or not.
> I tried to set a filter for HTTP no good couldn't
> parse so I read at your site set it for tcp.port==80 no parse error
The capture filter syntax is, unfortunately, not the same as the display
filter syntax (the Ethereal site shouldn't suggest "tcp.port == 80" for
a capture filter; if it did, please let us know on what page it says
that, so we can fix it).
The syntax would be
port 80
(Note that there's a bug in the "libpcap" library that Ethereal uses -
if you get a parse error from a capture filter, subsequent capture
filters, *even if they're valid*, may get parse errors as well; you have
to exit Ethereal and run it again to clear that.)
> but still get no info unless I startup a web browser locally,
As indicated, Ethereal always tries to put the card into promiscuous
mode, so it should see all traffic on the network segment into which
your card is plugged:
However:
1) it may be that your card doesn't support promiscuous mode (I
don't know which cards do - you may have to ask the vendor of
the card, or ask a Linux newsgroup or mailing list, whether
that card does);
2) it may be that the "libpcap" library isn't correctly turning
promiscuous mode on;
3) it may be that the card is plugged into a network switch, and
that traffic between other machines plugged into that switch
is *NOT* getting sent to the switch port into which your
machine is plugged.
If you're not seeing traffic going between other machines on your
network, I suspect 3) may be the problem. Some switches may have a
special port on them to which all traffic going through the switch gets
sent (so that you can plug a network monitoring device, or machine
running network monitoring software - e.g., Ethereal - into that port),
or may have a way that they can be configured to send all traffic
through the switch to a port.
I know nothing about particular switches - if you're plugged into a
switch, you should check with the maker of the switch, or check the
documentation for the switch, to see whether this might be the problem,
and, if it is, how to fix it, if that can be done.
