Wireshark · Wireshark-users: Re: [Wireshark-users] How to see HTTP hosts visited

[Andreas Fink <afink@xxxxxxxxxxxxx>]

the two switches are not forwarding packets to your PC as the  
destination of the packets are not meant to receive it
You need to do the tracing on the WRTG54G itself (if it runs some  
linux for example) or it should forward packets.
I dont think even without the two switches you will see the packets as  
they come/go from DSL and WLAN. So the WRT will not forward it to you  
because it knows (or thinks) you are not looking for those packets.


On 12.11.2007, at 22:34, Gary Fritz wrote:

> From: Stephen Fisher <stephentfisher@xxxxxxxxx>
> > What does your network setup look like?  Do you have separate  
> > wireless
> > AP, router, cable/dsl modem?  Or which parts are combined into one?
>
> Our home network looks something like this (sorry for the ASCII  
> graphics):
>
> Linksys
> WRT54G -------- switch -------- switch ---- my PC
> (wifi hub)
>     |
>     |
> other PCs
>
> The Linksys is acting as a "DSL" modem (although my broadband
> connection is actually wireless), router, and wireless AP.
>
> So I have 2 switches between the router and my PC.  Could that be  
> part of
> the problem?
>
> > You could monitor the wifi through another wifi connection only if  
> > your
> > operating system & wireless driver support promiscuous mode, which  
> > is not
> > common (especially on Windows).
>
> Hm.  And I am running on Windows -- XP Home & Pro.  The promiscuous-
> mode option is checked in the "Capture Options" dialog.
>
> > Ideally you would monitor his machine by installing Wireshark on his
> > machine, but that may give away what you're trying to do :).
>
> Yeah, that's not ideal for me.  :-)
>
> > Since the initial sites visited are typically the only time HTML is
> > loaded (the accesses to other sites are usually graphics), this  
> > display
> > filter should help narrow it down:
> >
> > ip.addr == 192.168.1.106 && http && http.content_type contains
> > "text/html"
>
> Hm, no, I'm still seeing requests for googleadservices.com,
> pagead.l.google.com, rcm.amazon,com, some gifs and jpgs, etc.  A lot  
> of the
> sites I'm seeing are requesting p3p.xml files or similar.
>
> And it doesn't seem to be capturing all the actual browse requests.   
> E.g. if I
> browse to www.dogpile.com (my son's favorite search engine), nothing  
> gets
> through the filter.
>
> It's definitely better than I had come up with before.  The  
> statistics report I
> was using before doesn't work with that filter, but the filtered  
> output is better
> than the stat report was anyway.  If it just included all the hosts  
> I browsed to,
> it would be "good enough" for now.
>
> Except... I've just discovered that display filters and capture  
> filters don't use
> the same syntax, sigh.  These packets pile up quickly without a  
> filter.  I tried
> "port 80 and src <<my IP>>" and that helps, but I'm sure it's not  
> optimal.
> Can you capture basically the same set of packets that the display  
> filter
> shows?
>
> Thanks for the start!
> Gary
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users