Inspecting the traffic with Wireshark

Wireshark is an open source network packet analyzer. It can be used to sniff the network traffic between emulated nodes and/or the host network interface.

Renode uses the libpcap format to provide data to Wireshark.

Logging the whole traffic

To log the network traffic to Wireshark, you must decide if you want to focus on the wireless or ethernet network.

This limitation is inherent to the libpcap format, but in reality it is rarely a concern.

To log all traffic transferred over the wired network, run:

(monitor) emulation LogEthernetTraffic

This creates a new object available in the emulation: host.wireshark-allEthernetTraffic.

The Wireshark window will open automatically when the first Switch object becomes available.

You can start it manually (e.g. after you close the Wireshark window) with:

(monitor) host.wireshark-allEthernetTraffic Run

Similarly, to log the traffic of a BLE or IEEE802_15_4 network, run:

(monitor) emulation LogIEEE802_15_4Traffic


(monitor) emulation LogBLETraffic


This command creates a new host.wireshark-allWirelessTraffic object.

Observing a specific interface

Renode allows you to inspect the traffic of a specific switch or wireless medium. You can also limit the observation to a specific interface connected to that switch or medium.

To enable logging on a switch object, run:

(monitor) emulation LogToWireshark switch

To observe only the sysbus.ethernet interface connected to switch, run:

(machine-0) emulation LogToWireshark switch sysbus.ethernet

The names of Wireshark objects created depend on the machine name, the switch name and the interface name. In the above case Renode creates an object named host.wireshark-switch-machine-0-sysbus-ethernet.

Last update: 2023-12-01