Where do I capture traffic?

Where you capture is important:

  • Capturing locally on  a computer connected to a switch port will let you see all traffic to/from your computer only + any broadcast traffic that gets sent down from the switch.
  • Capturing off a hub (true layer 2 device) will give you all the traffic to/from all devices connected to that hub.
    Note that many devices marked as “hubs” actually are switches – see https://wiki.wireshark.org/HubReference for more information.
  • Capturing off a wireless network follow the same principles as capturing on a hub.
  • Capture off a spanned switch port to “eavesdrop” on all traffic to/from host/hosts connected to that port.
    Remember that you will need administrative access to the switch to setup a spanned port.
    A down side to this approach is that you risk loosing traffic due to the fact that the switch will prioritize it’s core functionality of switching traffic before copying traffic over to the spanned port.
  • Capture off a network tap. Taps are specialty devices designed for the sole purpose of letting you listen in on network traffic. There are aggregating and non-aggregating taps. The latter will only let you see traffic in 1 direction at a time, so to capture a stream of traffic you would need 2 taps. Aggregating taps let you see traffic in both directions at the same time, but this comes at a price – they are in general more expensive. Taps typically have built in memory to make sure traffic gets captured even during the most busy peaks of network traffic (a regular computer will typically realize packet loss during such peaks).

Is Wireshark the only tool available?

Whenever I need to look at network traffic to see what is actually going on, I use Wireshark.

There are other options however, but I prefer the “true” nature of Wireshark. What you see is what you get.
As Laura Chappell puts it: “Packets don’t lie!”

Tools like Microsoft’s Network Monitor might give a more insightful look at the total picture of what is going on, but it will not show what truly flies by over the network – it will show an excerpt of the network traffic mixed with all kinds of application/OS layer data.
Fine for those who want that, but I focus on the network layer
solely – believe me there is more than enough to look at there!