Wireshark-users: Re: [Wireshark-users] hidden packets
From: Giles Coochey <giles@xxxxxxxxxxx>
Date: Mon, 19 Aug 2019 16:34:44 +0100


On 19/08/2019 15:57, Richard Perlman wrote:
Got it.  Makes sense.  While my APs are in “bridge” mode, I do have switches deployed in several locations, notably between the Mac I am running Wireshark on and the rest of the network.  I am not exactly sure how, or with the equipment I have - if, I can set up a span session. All the information on doing that seems to assume Cisco gear. My network is fairly simple and consists of Wi-Fi access points (mostly aging Apple Airports), Ethernet switches and a gateway router provided by my ISP (Free.fr in France). 

In any case, I at least know why I don’t see the traffic.


There are other ways of doing that - but it will involve some extra equipment:

1. A Small SoC computer can be set up as a router, potentially capable of running tcpdump to take the packet captures.
2. A physical TAP on a port can make a copy of the traffic and you can connect your kit running Wireshark to that.
3. Even a second hand Cisco switch can be purchased on eBay pretty cheaply.

The SoC computer might be the cheapest option, I'm thinking Raspberry Pi - this has wifi and a gigabit port, so could temporarily replace your AP, and the Debian Based Raspbian software can run wireshark, or you can run tcpdump and then export the pcap to view in wireshark.

Second cheapest, although probably close in price would be a used Cisco switch, anything in the Catalyst range would have the span session capability: https://www.ebay.co.uk/itm/CISCO-CATALYST-3560-SERIES-PoE-24-WS-C3560-24PS-24-PORT-PoE-SWITCH-FREE-DEL/272243680614?epid=1017614211&hash=item3f62fce566:g:~2cAAOSwMwxbVg8k - this is probably technically easier than the SoC option, but does require some Cisco know-how.

The TAP option is probably the most expensive for an industrial tap device, but it requires no technical know-how, just connecting the AP or your gateway in line and connecting your Wireshark device to the other port, there are only a few (perhaps three) permutations where you can go wrong, and you'll know if you've connected it up wrong (nothing works, and/or you see no packets).

-- 
Giles Coochey