I did a capture on a hub with a winXP WS1.6.2 machine (not the source or destination) of PING's from several machines/IP's to a machine with [email protected] 10.22.249.47 (this machne being on the hub as well, with the same speed). In the capture I see the ICMP Echo Requests, but the replies are missing although the replies do come back to the source. When I do the same capture on Win7 I do see the replies. I used a different software on winXP (commview) and the replies were also missing there. Is this a strange winXP bug or a Winpcap bug or a wireshark bug? Any hints in solving this are appreciated. IP address/Mac of the destination is 10.22.249.47/0050.6000.9d1e. When pinging 10.22.249.46/0050.6000.eca4 the replies were seen by the capture. asked 04 May '12, 01:58 PeteA showing 5 of 7 show 2 more comments |
I once had a strange issue - not just the same you describe, but kind of... Did you try completely disabling windows firewall before starting wireshark? Plus be sure to disable all associated protocols on the NIC (properties), like TCP/IP, win file share etc. while you are capturing data. Second, although might be strange - try changing your NICs driver, that helped back in my mystery case - don't ask why...
sounds like one of these problems:
1.) You used a capture filter that filtered replys (usually, if you use 'src' or 'dst' instead of 'host').
2.) You might have a problem with your NIC driver
3.) You might have "adapter teaming" in place (two nics combined as one logical) and you sniffed only on one of the physical interfaces, instead of the combined "teaming adapter".
4.) There is some software on the client, that prevents Wireshark to see the reply. This would be strange, as the OS sees the reply, but I have seen similar things in the past (firewalls, VPN, WAN accel).
Regards
Kurt
Also, please check the link speed and duplex settings when you connect the WinXP machine to the hub (device manager should show that information for the interface). If the duplex setting is half-duplex, I have seen strange effects during sniffing as well.
What strange effects do you see in half-duplex if the card is only capturing data? Especially since the scenario here is involving a hub
Unfortunately I can't remember all the details and when I saw it I could not understand where the problem came from. After switching the monitoring system to full duplex, the problems were gone. Maybe that config change, fixed a different problem (possibly a driver problem). As I said, I can't remember the exact details of that case but I'll try to find it in my docs.
It's just another idea and easy to check.
However, I would first check the 4 items I mentioned, before checking the shallows of "networking voodoo" ;-)
Well I was asking because if connected to a hub I'd expect every device to operate in half-duplex, since thats what a hub can do. Forcing the card to FDX won't help here
oops, you're right. PeteA mentioned a hub. Sorry, somehow I over-looked that. Forget what I said! Anyway, I'll try to find that case, as I'm interested now to figure out what was causing my problems back then. Never mind...