This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Insensitive network tap or wireshark 1.6.7 dropping packets?

0

I have a Datacom Systems Singlestream 10/100 Link Aggregation tap (http://www.datacomsystems.com/datasheets/SS-100.pdf) between my LAN and my WAN router. I should be seeing all traffic to/from this site's network on a laptop connected to one of the monitor ports on the tap. I have Wireshark 1.6.7 running on the laptop.

I am unable to see full traffic between a couple of devices on the LAN going to remote destinations across the WAN. For example, there are a couple of timeclocks that report to a public internet address. I see the SYN go out but no SYN/ACK coming back and then I see the ACK go back out and then a POST command and then two FIN/ACKs outbound to close the connection. I don't see any return traffic originating from the external public IP address. The transactions are using TCP.

I can ping the timeclocks and see the traffic in the packet capture but if I SSH to the timeclock I do not see that traffic captured. If I ping from the timeclock out, I can see that traffic from the timeclock AND I can see the return traffic. But Wireshark does not see anything when telnetting FROM the timeclock to a host on the WAN. The telnet session works fine so I know the traffic is going across the WAN link - AND THERE IS ONLY ONE WAY IN/OUT of this site's network.

NOTE: the only capture filter on the client is to capture traffic NOT for local MAC address - I don't want it to capture my RDP or VNC session traffic or any other traffic to/from the laptop.

I don't think that these timeclocks are using any kind of VPN tunnel or anything to get access to the network but I'm not sure how to confirm that by looking at the network traffic since the MAC addresses are changed during the pkt transfer between the LAN switch and the WAN router. But I still should see any tunnel traffic as using the local LAN IP as the tunnel source since there is only one IPv4 address on the system.

I am really at a loss of how to find out what traffic there is between the timeclocks and the WAN. I have only one network tap at this site and it is in service between the WAN router & LAN switch - so removing it would take the site offline for a while. I suppose I could mirror the timeclock LAN port to another port but I would need another NIC in the wireshark system to view the traffic (I am remote to this network).

Any ideas?

Thanks for the help!

====

Laptop has only one nic - the wireless nic is disabled. The tap specified above has an aggregation port that also permits network injection so that is how I am remotely reaching the laptop & doing capture at the same time.

For this site there should be no encapsulation between the LAN & WAN as there are no VLANs defined at the WAN router. The LAN switch does all of the layer 3 work for local services. Silly question alert - how do I display filter for 801.1Q traffic? <- google search in progress ;)

There is a McAfee firewall installed on the laptop but wireshark is a permitted application. None of the other specified interfering programs are installed/active on the laptop.

This is the first time using this laptop for capture. Remote site set it up for me.

asked 17 May '12, 08:21

Labnuke's gravatar image

Labnuke
61449
accept rate: 0%

edited 17 May '12, 09:40

btw - all captured packets do not have any VLAN data included. Ran display filter "vlan" no packets were shown.

(17 May '12, 12:28) Labnuke

VLAN tags are usually stripped by NICs, so they may have been on the wire, just not in your trace file. See http://wiki.wireshark.org/CaptureSetup/VLAN for more info on that subject :-)

(17 May '12, 15:04) SYN-bit ♦♦

2 Answers:

0

I assume your laptop has 2 NICs, one for management (RDP/VNC/etc) and one for capturing (atatched to the TAP). Then it is not necessary to use your mac-capture filter, as your management traffic will not be visible on the capture interface.

Does the capture interface of your laptop make correct traces in other setups (span ports, hubs, etc)?

Are you running any interfering software like VPN, Host based FW, etc?

Is traffic between the LAN and WAN router using some form of encapsulation? 801.1Q vlan tagging for instance? Is so, which traffic is untagged and which traffic is tagged? Does your laptop capture vlan-tagged frames in other situations?

answered 17 May '12, 09:19

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

0

There is a McAfee firewall installed on the laptop but wireshark is a permitted application.

As you do see ICMP traffic (ping time servers) but there are problems with TCP traffic (ssh, telnet), I suspect the McAfee firewall might still interfere with wireshark, although it is a "permitted application". I have seen similar problems with all kinds of Desktop firewalls - not necessarily together with Wireshark. Never trust them if their configuration says, that network access won't be blocked ;-).

Please try to disable McAfee completely, OR boot your Laptop from a Linux Bootable CDROM (or USB flash drive). If you can see TCP traffic afterwards, you know who is resonsible for the problems ;-)

If it's still the same problem, there might be something wrong with your TAP setup (cabling) or the TAP itself. Test the TAP in front on another PC on your network.

Regards
Kurt

answered 17 May '12, 14:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

The timeclocks are being changed out. When the replacement clocks arrive I will do additional testing. Thank you for the feedback.

(21 May '12, 05:03) Labnuke