This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

No TCP traffic captured? Diagnosing?

0

All I want to do is capture an ftp transaction on a private system. Strictly debug. I have a very straightforward setup:

laptop -> laptop's ethernet -> hub device running ftp client -> same hub device running the ftp server -> same hub.

My laptop is a Dell XPS1530 running Windows 7 64bit, Wireshark 1.8.2. I'm using the built in ethernet port as well as another usb to ethernet adaptor (connected to another network). I've also disabled the laptop firewall completely.

The device running the ftp server transmits a periodic udp packet - these I see. However, nothing I do generates any other ethernet traffic. I would expect to see something when my windows ce device attempts to access the server. And I know it's generating tcp traffic.

Nothing.

Any hints as to what I'm doing wrong? I'm using the default setup, and I've used wireshark when it was ethereal with good and expected behavior. Not this time...

asked 29 Oct '12, 11:39

Charles%20G's gravatar image

Charles G
5112
accept rate: 0%

Does this also happen when you only use the built in ethernet port and disconnect the USB adapter? Windows sometimes has a funny way of using network adapters you would not expect to be used...

(29 Oct '12, 11:49) Jasper ♦♦

That's a great suggestion, never underestimate Windows to help you. I removed the USB, still nothing.

Now I did notice that somehow I had accumulated a number of entries in the capture filter. Removed them, still nothing. I need to do some more reading.

(29 Oct '12, 13:31) Charles G

Okay, ebay to the rescue. I now have an OFFICIAL hub from netgear. Those suckers are hard to find. Lo and behold, I see TCP traffic now.

Thanks for all the help.

(02 Nov '12, 07:23) Charles G

3 Answers:

1

So I'm assuming your setup has a hub into which:

  • your laptop's Ethernet adapter;
  • the FTP client machine;
  • the FTP server machine

are all plugged? If so, are you certain the hub really is a dumb hub rather than a switch? See, for example, the hub reference on the Wireshark Wiki - and note also its note about dual-speed hubs. This sounds suspiciously like a switch - the periodic UDP packets might be broadcasts, which would be sent to all ports on a switch, but unicast packets, such as TCP segments, would only be sent to the port corresponding to the destination MAC address of the packet.

answered 29 Oct '12, 16:51

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Guy,

All good points, yes, they are all plugged in. All network connections have IP addresses from the dhcp server. The hub comment is a good point - the ethernet chip is in an embedded system, so I'll have to check with the h/w engineer. We're not dealing with an external device.

Dual speed - they are all at 100, but I had not been aware of this.

thanks

(30 Oct '12, 04:57) Charles G

1

Assuming that you can connect to the FTP server that sounds like a problem with the capture side of Wireshark.

A few ideas:

  1. Are you capturing in promiscous mode? (Verify with Capture -> Options -> [interface])
  2. Is the WinPcap Driver properly installed and running with admin/system rights? Try sc query npf on the command line.
  3. Do you have enough disk space? (I know, it sounds stupid. Apologies if the question offends you. Please check anyway)
  4. Are the TCP packets recorded if you run dumpcap on the command line?

Good hunting!

answered 30 Oct '12, 01:34

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

packethunter - my thoughts as well.

1) promiscuous - yes 2) sc query npf comes back with info, no errors. 3) disk space - no offense taken. Yes, plenty. 4) dumpcap - that I will have to try.

(30 Oct '12, 05:01) Charles G

0

hub device running ftp client

'hub device'?

Are you sure this is a 'true' hub and not a 'switching hub (often printed on the backside of the product)? If it's a switching hub (actually a switch), you will only see broadcast traffic, unless you configure port mirroring.

What kind of traffic do you see, if you capture on that 'hub'?

Is it just ARP traffic and traffic to the broadcast addresses (ethernet broadcast: FF:FF:FF:FF:FF:FF and/or IP broadcast: x.x.x.255/24 or x.x.255.255/16)?

If so, the 'hub' is actually a switch and you need to replace it with a managed switch, that is able to do port mirroring (or with a real hub, or with a TAP).

http://wiki.wireshark.org/CaptureSetup/Ethernet

Regards
Kurt

answered 30 Oct '12, 05:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Oct '12, 05:35

2

And the answer is... after working with it for 7 years... wait for it... and being told again and again and again it's a hub... yes folks, it's a switch. doh!

Okay off to learn about mirroring.

(30 Oct '12, 06:45) Charles G
1

yes folks, it's a switch. doh!

;-)

(30 Oct '12, 09:46) Kurt Knochner ♦
1

Don't feel bad, it can happen... but you might want to accept Guy's answer because he was the first to hint about this :-)

(30 Oct '12, 09:57) Jasper ♦♦

yeah, but the h/w guy has been calling it a hub for a long time. Even when I said, "Is it a hub or a switch?"

(30 Oct '12, 11:24) Charles G

Plenty of people use "hub" for small switches - after all, a "switch" is one of those big boxes that fits in a rack in the machine room, this is just a small box with 4 ports that you can put on a desk, so it's a hub, right? :-) You should tell the HW person that, even if the manufacturer of the box calls it a hub, it's really a switch, and explain what the distinction between a hub and a switch really is and why it's important in some cases (such as this case). Perhaps he'll tell his friends and co-workers, and eventually people will start using the terms more clearly....

(30 Oct '12, 11:53) Guy Harris ♦♦

yeah, but the h/w guy has been calling it a hub for a long time. Even when I said, "Is it a hub or a switch?"

<fun>
If that's the case, your HW guy might need an update training on the latest network technologies ;-) Please ask him to follow this Q&A site. There is a lot to learn.
</fun>

(30 Oct '12, 12:10) Kurt Knochner ♦
showing 5 of 6 show 1 more comments