Wireshark-users: Re: [Wireshark-users] hidden packets
From: Richard Perlman <wireshark@xxxxxxxxxxx>
Date: Mon, 19 Aug 2019 16:57:47 +0200
Got it.  Makes sense.  While my APs are in “bridge” mode, I do have switches deployed in several locations, notably between the Mac I am running Wireshark on and the rest of the network.  I am not exactly sure how, or with the equipment I have - if, I can set up a span session. All the information on doing that seems to assume Cisco gear. My network is fairly simple and consists of Wi-Fi access points (mostly aging Apple Airports), Ethernet switches and a gateway router provided by my ISP (Free.fr in France). 

In any case, I at least know why I don’t see the traffic.

Thanks,

Richard

On 19 Aug 2019, at 14:34, Giles Coochey <giles@xxxxxxxxxxx> wrote:


On 19/08/2019 13:25, Richard Perlman wrote:
Note: on the local lan, 192.168.5.0/24, all segments, Wi-Fi and wired) are bridged. So, I would expect to see all traffic to/from the plug on en0.
A bridge is a switch, i.e. it does MAC address learning and doesn't flood all packets to all interfaces like a hub would do. You would need to configure a span session on the Interface to your wireless access point to send packets received there to the port that your Apple device is connected to.