Network Packet Analysis with Wireshark: Can It Monitor Traffic Between Separate Devices?


2 views

Wireshark operates at the network interface level of the host machine where it's installed. When running on Computer A, it can only capture:

  • Traffic sent/received by Computer A itself
  • Broadcast traffic on the local network segment
  • Multicast traffic that Computer A is subscribed to

To monitor Computer B's YouTube traffic from Computer A, you would need:

// Example network topology where monitoring would fail
Computer A (Wireshark) ---- Switch ---- Computer B (YouTube)

Key reasons why this won't work by default:

  • Modern switches implement port-based isolation (unlike old hubs)
  • Lack of promiscuous mode access to Computer B's traffic
  • Encrypted HTTPS traffic prevents content inspection anyway

If you truly need to monitor Computer B's traffic, consider:

// ARP spoofing example (requires admin privileges)
# sudo arpspoof -i eth0 -t 192.168.1.2 192.168.1.1
// Then run Wireshark on the same interface

Important legal and ethical considerations:

  • Always obtain proper authorization
  • Many corporate networks detect and block ARP spoofing
  • HTTPS still prevents content inspection without MITM certs

For legitimate monitoring needs:

// Configure port mirroring on managed switches
Switch(config)# monitor session 1 source interface gi1/0/2
Switch(config)# monitor session 1 destination interface gi1/0/24

Or install Wireshark directly on the target machine when permitted.

Here's what you can effectively do with Wireshark on Computer A:

// Capture filter for YouTube traffic from current machine
(ip.src == 192.168.1.100 || ip.dst == 192.168.1.100) && tcp.port == 443

// Display filter for YouTube domains
tls.handshake.extensions_server_name contains "youtube"

This lets you analyze metadata like:

  • DNS queries to youtube.com
  • Connection timing and packet sizes
  • TCP performance metrics

Wireshark operates at the network interface level of the host machine where it's installed. When running on Computer A, it can only capture traffic that physically passes through Computer A's network interfaces. This includes:

# Example tshark command to list available interfaces
tshark -D
# Output shows only local interfaces like:
1. eth0
2. wlan0
3. any (Pseudo-device)

In standard configurations without special network hardware, Wireshark on Computer A cannot directly observe Computer B's YouTube traffic. The visibility depends entirely on the network architecture:

  • Same broadcast domain (e.g., hub-based network): Possible to see some traffic
  • Switched network: Requires port mirroring or ARP spoofing
  • Separate networks: Virtually impossible without gateway access

There are specific cases where Computer A could potentially monitor Computer B's traffic:

# Example ARP spoofing setup (requires admin privileges)
arpspoof -i eth0 -t 192.168.1.100 192.168.1.1
# Where:
# - 192.168.1.100 is Computer B
# - 192.168.1.1 is the gateway
# Must enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward

If you genuinely need to monitor traffic between devices, consider these professional solutions:

# Using port mirroring on Cisco switches:
monitor session 1 source interface FastEthernet0/2
monitor session 1 destination interface FastEthernet0/1
# Where FastEthernet0/2 is Computer B's port

Monitoring others' network traffic without explicit authorization violates privacy laws in most jurisdictions (e.g., Computer Fraud and Abuse Act in US, GDPR in EU). Always obtain proper permissions before attempting any network monitoring.