Created 02 13 06  Updated 04 18 08

The Packet Capture Page
1.  What is a Packet Capture Tool?
2.  Are packet capture tools instrusive on the network?
3.  What about ethernet switches and bridges?
4.  I'd like to see some links to free packet capture tools?
5.  How do I setup filtering on Packetyzer and Ethereal?
6.  How to access Capture filters
7.  Capturing packets to File
8.  Capturing a print job with Wireshark


1.  What is a Packet Capture Tool?
Packet capture tools allows real-time collection of data as it travels over networks.
These tools are also known as packet sniffers, packet analyzers, protocol analyzers, and even traffic monitors.


2.  Are packet capture tools instrusive on the network?
A packet capture tool is not a port scanner,  It does not scan the network
A packet capture tool simply listens on a network interface for network traffic
The traffic is already there, the tool simply captures it


3.  What about ethernet switches bridges?
Switches, Bridges and other devices will isolate the network traffic
If you want to capture packets for a specific device, a switch/bridge will often become a problem as you will not be able to see traffic to/from the device
Here's a simple solution:
Put the device you want to capture on a seperate non switching hub.
If necessary, connect the hub's uplink port to the rest of the lan
Finally, put your laptop/computer running the packet capture tool on this same hub
Now you will be able to see and capture all packets to/from the device


4.  I'd like to see some links to free packet capture tools?
For Windows GUI tools, I prefer to use Wireshark (Originally called Ethereal)   and/or Packetyzer (uses Wireshark)
There are many others but I have not tried them


5.  How do I setup filtering on Packetyzer and Wireshark?
These applications have two filters, a capture filter and a display filter
The Capture filter is used to specify what packets are captured whilst the Display filter is used to specify what captured packets are displayed
Wireshark uses the pcap (libpcap/WinPcap) filter language for capture filters.
This language is explained in the tcpdump man page
This capture filter language is different from the one used for the display filters!

I prefer to first specify a capture filter minimizing what I capture, then use a display filter to show me what I want
Some people choose no capture filter, capturing everything and then use a display filer to show what they desire

6.  How to access Capture filters
Packetyzer Capture Filter - Start application, choose adapter, click Capture filter, "click create a new filter" (top left yellow thingy), enter filter name and capture filter expression.  See examples
Wireshark Capture Filter - Start application, Capture, Capture Filter, enter a filter name and a filter string and select new, save, close  See examples

Capture filter examples
Example Ethernet: capture all traffic to and from the Ethernet address 08:00:08:15:ca:fe
ether host 08:00:08:15:ca:fe

Example IP: capture all traffic to and from the IP address 192.168.0.10
host 192.168.0.10

Example TCP: capture all traffic to and from the TCP port 80 (http) of all machines
tcp port 80

Examples combined: capture all traffic to and from 192.168.0.10 except http
host 192.168.0.10 and not tcp port 80

How to use the Capture filters
Packetyzer - Start application, choose adapter, click Capture filter, check off your filter, Start capture with F5, Session start capture or Icon thingy
Wireshark - Start application, Capture Start or Control-k or Icon thingy,  Capture filter, pick your filter name, OK
You are now capturing packets

How to access Display filters
Packetyzer - Start application, choose adapter, See Display Filter at bottom select Edit, create a new filter (top left yellow thingy)
Here's how to display all packets to/from anywhere to a specific IP address:
Simple Filter, check Address filter enter IP address, ok
Look on your Display filter list for your filter check it off and hit apply
You are done.
As you noticed, you can capture by direction, hardware (MAC) address, protocol, port
See examples

Wireshark - Start application, Click Filter, Enter a Filter name and a filter string.
You can use the expression button to browse for an expression or use these Display filter examples


Display Filter examples
By TCP Port        tcp.port == 135
By IP address      ip.addr == 192.168.10.67
IP 1 or IP 2       (ip.addr == 192.168.10.45) or (ip.addr == 192.168.10.67)
IP 1 and IP 2      (ip.addr == 192.168.10.45) && (ip.addr == 192.168.10.67)
By MAC address     eth.addr == 00:01:02:68:59:ea


7.  Capturing packets to File
It us often helpfull to capture to file in case you want to leave a capture running for a long time
In Wireshark, checkout the options Capture Files, multiple files


8.  Capturing a print job with Wireshark
You can capture a print job with Wireshark and save it as a print ready file if you wish
Let's say the printer is at 192.168.10.94 and I want to capture port 9100
Use this as the Wireshark's capture filter
tcp port 9100 and host 192.168.10.213
After the job is sent, stop the capture, hightlight any packet, right click and choose "Follow TCP Stream"
Check off RAW and save the file
You now have a caputue of the print job
Adjust the port to 515 for LPD if you wish


Home   Back

If you have any questions please email me