Setup on router that could prevent wireshark from seeing packets?

I have been trying to use wireshark to capture and analyze outgoing packets from a device on my network. Both the PC running wireshark and the target device are on the same VLAN. When I have wireshark running, I do see packets flying around, but when I load a browser on the target device, and start pulling up https traffic, I am not seeing it on wireguard. Is there a setting on my OW router that could be masking this?

Are you sure you have set up wireshark to show TLS traffic since it is pretty useless to look at?

Usually it shows the TLS handshake and not much more.

I'm not seeing an option under capture options for TLS anything.

Have you read the wireshark manual anything more than the “quick start” part?

Or googled capturing tls data with wireshark?

The thing is that the port mirroring in the switch only mirrors the data. And sends it to somewhere where something is supposed to take care of the data.

So if the switch sends anything at all then it sends everything so then the problem is on the receiving side. The only setting port mirroring usually has is what direction the data that is copied comes from. It is like input, output or both.

Do you have hardware port mirroring?
Last version of OpenWrt that had this easily available was 19.07.

It is possible with DSA but more complicated since there is no on/off function in LuCi any more.

The router is a RPi4 using DSA. From googling it seems that I need to enable this under the switch section which as you pointed out does not exist with DSA. There also seems to be a package needed:

port-mirroring - 1.4.4-4 - Copy network packets with optional support for TaZmen Sniffer Protocol (TZSP)

Is that accurate?

EDIT: I found our tcpdump_wireshark article and am experimenting with tcpdump on the router now. I am happy to capture the data there and use wireshark to analyze.

EDIT2: Yes! Doing it this way works.

On the OW router, I can target the device by IP:

tcpdump -i eth0 host -U -s0 -w /tmp/dump.txt

Then I can just load that into wireshark on my linux box and see what I wanted to see.

There is no switch in a Raspberry Pi 4. You don’t need to (and probably shouldn’t) use dsa syntax.

But since there is no hardware switch, you really should be using a proper managed switch that includes port mirroring capability.

I have a managed switch in the mix but never looked into port mirroring on it. In any case, thank you for the reply. I was able to satisfy my use case.

I have not tested it on 22.03, but that's precisely why I created wireshark-helper package back in the day to explicitly forward traffic from one device to another and wrap it with a nice WebUI. Hope it helps.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.