All I want to do is capture an ftp transaction on a private system. Strictly debug. I have a very straightforward setup: laptop -> laptop's ethernet -> hub device running ftp client -> same hub device running the ftp server -> same hub. My laptop is a Dell XPS1530 running Windows 7 64bit, Wireshark 1.8.2. I'm using the built in ethernet port as well as another usb to ethernet adaptor (connected to another network). I've also disabled the laptop firewall completely. The device running the ftp server transmits a periodic udp packet - these I see. However, nothing I do generates any other ethernet traffic. I would expect to see something when my windows ce device attempts to access the server. And I know it's generating tcp traffic. Nothing. Any hints as to what I'm doing wrong? I'm using the default setup, and I've used wireshark when it was ethereal with good and expected behavior. Not this time... asked 29 Oct '12, 11:39 Charles G |
3 Answers:
So I'm assuming your setup has a hub into which:
are all plugged? If so, are you certain the hub really is a dumb hub rather than a switch? See, for example, the hub reference on the Wireshark Wiki - and note also its note about dual-speed hubs. This sounds suspiciously like a switch - the periodic UDP packets might be broadcasts, which would be sent to all ports on a switch, but unicast packets, such as TCP segments, would only be sent to the port corresponding to the destination MAC address of the packet. answered 29 Oct '12, 16:51 Guy Harris ♦♦ Guy, All good points, yes, they are all plugged in. All network connections have IP addresses from the dhcp server. The hub comment is a good point - the ethernet chip is in an embedded system, so I'll have to check with the h/w engineer. We're not dealing with an external device. Dual speed - they are all at 100, but I had not been aware of this. thanks (30 Oct '12, 04:57) Charles G |
Assuming that you can connect to the FTP server that sounds like a problem with the capture side of Wireshark. A few ideas:
Good hunting! answered 30 Oct '12, 01:34 packethunter packethunter - my thoughts as well. 1) promiscuous - yes 2) sc query npf comes back with info, no errors. 3) disk space - no offense taken. Yes, plenty. 4) dumpcap - that I will have to try. (30 Oct '12, 05:01) Charles G |
'hub device'? Are you sure this is a 'true' hub and not a 'switching hub (often printed on the backside of the product)? If it's a switching hub (actually a switch), you will only see broadcast traffic, unless you configure port mirroring. What kind of traffic do you see, if you capture on that 'hub'? Is it just ARP traffic and traffic to the broadcast addresses (ethernet broadcast: FF:FF:FF:FF:FF:FF and/or IP broadcast: x.x.x.255/24 or x.x.255.255/16)? If so, the 'hub' is actually a switch and you need to replace it with a managed switch, that is able to do port mirroring (or with a real hub, or with a TAP).
Regards answered 30 Oct '12, 05:31 Kurt Knochner ♦ edited 30 Oct '12, 05:35 2 And the answer is... after working with it for 7 years... wait for it... and being told again and again and again it's a hub... yes folks, it's a switch. doh! Okay off to learn about mirroring. (30 Oct '12, 06:45) Charles G 1
;-) (30 Oct '12, 09:46) Kurt Knochner ♦ 1 Don't feel bad, it can happen... but you might want to accept Guy's answer because he was the first to hint about this :-) (30 Oct '12, 09:57) Jasper ♦♦ yeah, but the h/w guy has been calling it a hub for a long time. Even when I said, "Is it a hub or a switch?" (30 Oct '12, 11:24) Charles G Plenty of people use "hub" for small switches - after all, a "switch" is one of those big boxes that fits in a rack in the machine room, this is just a small box with 4 ports that you can put on a desk, so it's a hub, right? :-) You should tell the HW person that, even if the manufacturer of the box calls it a hub, it's really a switch, and explain what the distinction between a hub and a switch really is and why it's important in some cases (such as this case). Perhaps he'll tell his friends and co-workers, and eventually people will start using the terms more clearly.... (30 Oct '12, 11:53) Guy Harris ♦♦
<fun> (30 Oct '12, 12:10) Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
Does this also happen when you only use the built in ethernet port and disconnect the USB adapter? Windows sometimes has a funny way of using network adapters you would not expect to be used...
That's a great suggestion, never underestimate Windows to help you. I removed the USB, still nothing.
Now I did notice that somehow I had accumulated a number of entries in the capture filter. Removed them, still nothing. I need to do some more reading.
Okay, ebay to the rescue. I now have an OFFICIAL hub from netgear. Those suckers are hard to find. Lo and behold, I see TCP traffic now.
Thanks for all the help.