WireShark is good at showing me every packet that is sent or received over an interface.
But I'm really trying to find a way to monitor traffic on a machine. In other words, rather than seeing:
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532
I would want to see:
00-03-FF-54-D8-DF => 00-03-FF-54-D8-DE TCP 10.0.0.11:32532 => 10.0.0.12:80 5
00-03-FF-54-D8-DE => 00-03-FF-54-D8-DF TCP 10.0.0.12:80 => 10.0.0.11:32532 5
And if possible, even more advanced logic:
Listen MAC Listen Addr Source MAC Source Addr Proto In Out
================= ============ ================= =============== ===== == ==
00-03-FF-54-D8-DE 10.0.0.12:80 <= 00-03-FF-54-D8-DF 10.0.0.11:32532 TCP 5 5
00-03-FF-54-D8-DE 10.0.0.12:80 <= 00-03-FF-54-D8-D3 10.0.0.42:53213 TCP 5 5
In other words, aggregation and grouping.
How can I use WireShark to monitor traffic, rather than capture packets?
Best Answer
Wireshark is a terrific program, but there are other freeware and open source alternatives that may be somewhat easier to use. My current favourites are Microsoft Network Monitor and SmartSniff.
Using SmartSniff in summary mode should provide the information you want. Options > Advanced Options > Summary mode: enable; Options > Advanced Options > Retrieve process information: enable; Options > Resolve IP Addresses: enable.