Wireshark is a tool that performs packet and protocol analysis on a network. Packets are the virtual transport mechanism that moves are data from sender to receiver. Each packet has a header and payload – the header contains information about where the packet came from and where it’s going, as well as the protocols being used. The payload has our actual digitized data – parts of website, text, a section of photo, or a clip of audio from an MP3 or a phone call. If you don’t get all of the packets then a phone call may sound choppy or it may take a while to download a complete file. Wireshark allows you to take a look at the packets you are sending and receiving and learn a lot more about what it happening and what’s breaking down. Wireshark is not for the lighthearted, as the tool requires knowledge of protocols and a deep understanding of OSI, IP, and TCP/UDP at the very least. But, with time, Wireshark becomes invaluable to the troubleshooting process. I have relied on the tool for my work supporting Voice-over-IP (VoIP) and system and application connectivity. The only side-effect to Wireshark is that you will soon realize why it’s not a good idea to surf the web in a public spot (without a VPN or encryption).
User A to User B packet data traffic can be monitored through a HUB by User C using a “receive‑only” Ethernet cable.
On the HUB end of the cable, there is a loop between TX and RX to activate the HUB port. Any traffic through the HUB will now include this port in the broadcasts.
User C taps onto the loop by its receive pins.
Once the connections are made to the HUB, User C will receive all packets that flow through the HUB, but User C will not transmit any packets towards the HUB (no DHCP requests and no ARP requests).
The NIC on User C is in promiscuous mode capturing all incoming packets only.
Using a receive-only Ethernet cable in this configuration allows for the ability to passively capture packets, while not actively being a part of the network.
Network administrators can actively test for devices in promiscuous mode, monitor for DHCP and ARP requests, and review MAC tables to determine the presence of a packet analysis tool.