Wireshark – how to capture relevant data

  1. Clear ARP cache
  2. Clear NETBIOS name cache (nbtstat -R)
  3. Clear DNS resolver cache (ipconfig /flushdns)
  4. Close open sockets relating to the application in question:
    netstat -ano | find "port number"
    taskkill -PID "PID"
    then kill the process (identified by the PID column) in task manager or taskkill command:

    C:\Users\Administrator>netstat -ano | find "55060"
      TCP    127.0.0.1:55059        127.0.0.1:55060        ESTABLISHED     16176
      TCP    127.0.0.1:55060        127.0.0.1:55059        ESTABLISHED     16176
    C:\Users\Administrator>taskkill -PID 16176
    
  5. Clear the browser cache (if the issue is related to a web browser)

Linux – Console Traffic Monitor

Sometimes when working from console I need to have a look at the IP traffic. In those situations I use handy tool called IPtraff.
To install it run

yum install iptraf-ng #rpm based distros

or

apt-get install iptraf #Debian based distros

iptraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.
If the iptraf command is issued without any command-line options, the program comes up in interactive mode, with the various facilities accessed through the main menu:

iptraf1

iptraf2

Linux – How to check/enable promiscuous mode

Many if not all network traffic capture utilities require that the network adapter has the promiscuous mode enabled.

To check if the promiscuous mode is on run:

netstat -i
Kernel Interface table
Iface MTU  RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0  9001 9095  0      0      0      10367 0       0     0      BMRU

Look at the Flg column – if the P flag is missing the mode is not enabled.

To enable it run:

ifconfig eth0 promisc

or

ip link set eth0 promisc on