On a Linux or Unix environment, select the Wireshark or Ethereal entry in the desktop environment's menu, or run "wireshark" (or "ethereal") from a root shell in a terminal emulator.
Note that on Un*x systems, a non-GUI version of Wireshark called "tshark" (or "tethereal") may be available as well, but its use is beyond the scope of this document.
After starting Wireshark, do the following:
-Select Capture | Interfaces
-Select the interface on which packets need to be captured.
-If capture options need to be configured, click the Options button for the chosen interface. Note the following recommendations for traces that are to be analysed by Novell Technical Services:
Capture packet in promiscuous mode: This option allows the adapter to capture all traffic not just traffic destined for this workstation. It should be enabled.
Limit each packet to: Leave this option unset. Novell Support will always want to see full frames.
Filters: Generally, Novell Support prefers an unfiltered trace. For documentation on filters, please refer to TID 10084702 - How to configure a capture filter for Ethereal (formerly NOVL90720).
-Capture file(s): This allows a file to be specified to be used for the packet capture. By default Wireshark will use temporary files and memory to capture traffic. Specify a file for reliability.
-Use multiple files, Ring buffer with: These options should be used when Wireshark needs to be left running capturing data data for a long period of time. The number of files is configurable. When a file fills up, it it will wrap to the next file. The file name should be specified if the ring buffer is to be used.
-Stop capture after xxx packet(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
-Stop capture after xxx kilobyte(s) captured: Novell Technical Support would most likely never use this option. Leave disabled.
-Stop capture after xxx second(s): Novell Technical Support would most likely never use this option. Leave disabled.
-Update list of packets in real time: Disable this option if the problem that's being investigated is occuring on the same workstation as where Wireshark is running.
-Automatic scrolling in live capture: Wireshark will scroll the window so that the most current packet is displayed.
-Hide capture info dialog: Disable this option so that you can view the count of packets being captured for each protocol.
-Enable MAC name resolution: Wireshark contains a table to resolve MAC addresses to vendors. Leave enabled.
-Enable network name resolution: Wireshark will issue DNS queries to resolve IP host names. Also will attempt to resolve network network names for other protocols. Leave disabled.
-Enable transport name resolution: Wireshark will attempt to resolve transport names. Leave disabled.
Now click the Start button to start the capture.
Recreate the problem. The capture dialog should show the number of packets increasing. If not, then stop the capture. Examine the interface list and pick the one that is not associated with the WANIP. It will probably be a long alpha-numeric string. If packets are still not being captured, try removing any filters that have been defined.
Once the problem which is to be analysed has been reproduced, click on Stop. It might take a few seconds for Wireshark to display the packets captured.
If the destination address is always displayed as FFFFFFFF (IPX) or always ends in .255 (IP) then all that has been captured is broadcast traffic. This is a useless trace.
This usually occurs when another machine is being traced (to start the trace while the target machine is powered off, in order to capture the bootup process). The capture setup needs to be reconsidered - port mirroring on the switch may need to be set up, or a dumb hub may need to be used to make the traffic reach the sniffing system. (Some devices advertised as "hubs" are in fact switches that may have the intelligence to prevent the workstations from seeing each other's packets; with these, getting a good trace may not be possible)
Save the packet trace in any supported format. Just click on the File menu option and select Save As. By default Wireshark will save the packet trace in libpcap format. This is a filename with a.pcap extension. Use this default for files sent to Novell.
Create a trace_info.txt file with the IP and MAC address of the machines that are being traced as well as any pertinent information, such as: