Working with Wireshark
If you're not sure which interface is your Internet interface, then click on the
Interface List button above the Start button to bring up the window, as shown
in the following screenshot:
On the right-side of the dialog box, you can see the live counts of the number
of packets that have passed through each of the interfaces, since we opened the
window. You can generate some Internet traffic by browsing a website if there's
not much happening. The interface with the fastest rising packet count will be the
Internet interface (ignore the any interface on Linux). Make a note of the interface's
name and close the window.
Network interfaces can capture packets in one of two modes: promiscuous mode
and non-promiscuous mode. In promiscuous mode, the interface will pass all
traffic that it receives on to the sniffer, even if it is traffic that is not destined for our
computer. In non-promiscuous mode, the interface filters out any traffic that is not
for our computer. Unless you have a very specific reason to, it's usually best to run
in non-promiscuous mode, as this reduces the amount of extraneous traffic we need
to filter manually. Wireshark enables promiscuous mode by default. To disable, go
into Capture | Options... and ensure 'Use promiscuous mode on all interfaces' is
unticked. Then check the 'Prom Mode' column in the interfaces list at the top of the
options window, and ensure it's says disabled for the interfaces you're capturing on.
When done, close the options window to return to the main screen.
Select your Internet interface from the interface list, which is below the Start button
on the main screen, and click on Start to begin a capture. After a moment or two, we
should see some packets coming in: