Hi. I got a TCP/IP hardware device (a printer) communicating with a Windows server. I want to monitor the packets between the printer and the server. During my tests, I kept a window running "ping -t" to be sure there was some activity (ICMP packets). When I run Wireshark on this server, I see all the packets - TCP (commands and answers) and ICMP (ping). But I need to go to a company where I can´t install Wireshark on their machines. So I installed Wireshark on my notebook and plugged it on the same network, using the same subnet address. Promiscuous mode was on. But I couldn´t see any packet - TCP or ICMP. I started pinging from my notebook. Then I could see these packets from my notebook to the printer. Instead of the notebook, I tried the same test from another server that was on the same subnet. Got the same results. Can´t see packets between printer and server. Just can see ICMP packets when I ping from my machine. Shouldn´t I see all packets on the network ? What can be wrong ? Thanks. asked 21 Dec '12, 09:24  emersony |
One Answer:
no. Your switch will only forward packets to your laptop that are directed to it's MAC address, plus any broadcast/multicast.
Your capture setup. Please read the following Wiki article.
Implement the method that is most appropriate in your environment. In a corporate environment it is usually a TAP or a mirror port on the switch. Regards answered 21 Dec '12, 09:31  Kurt Knochner ♦ showing 5 of 16 show 11 more comments |
Thanks Kurt, I´ll take a look at this article.
good luck.
Hi,
I´ve taken a look at the article Kurt told me and I found a hub here (SuperStack II PS Hub 40 - 3Com), so I tried the configuration explained at "Switched Media - Hubbing Out". But I only could see packets in one direction, from Host A to Host B.
I tried to invert the positions of the hosts, connecting Host A to the Hub and Host B to the Switch. But I got the same result as before: only saw packets from A to B.
In my case, Host A is a Hardware device (a printer) and Host B is a Server that sends commands to it. So in both configurations, I can´t see the commands sent by the server, only the answers sent by the printer.
What could be causing that ?
(Just an information, if this matters: this Hub works at 10Mbps (when I connect it to the switch, it flashes the yellow colour (10Mbps). The printer works at 100Mbps, and probably all the computers are using 10/100Mbps cards.)
Thanks, Emerson
That 'hub' seems to be not just a 'flat hub'. You can configure 'segments' on that hub (similar to VLANs on a switch).
So your observation may be caused by the port configuration of the 'hub'. Did you try to change ports for A and/or Wireshark?
BTW: how does your setup look like now? Something like this?
Did you use any capture filter? If so, please post them.
Hi Kurt,
Yes, my setup is like the schema you draw.
A - HUB - Switch - B | Wireshark
Later, I changed to:
B - HUB - Switch - A | Wireshark
and got the same results. Only can see packets from A to B, no matter if A is connected to the Hub or to the Switch.
In fact, this 'hub' has segments. I don´t know how to handle it. I will try to change some ports to see what happens, and any sugestions are welcome.
Many thanks again, Emerson
UPDATE: The PS 40 seems to have no segment switch, so the assumption I made above is void, if it is really a PS 40!
So, it is either a general problem with the hub or some problem with your wireshark system: wrong capture filter (like
dst x.x.x.x), Wireshark system duplex mode (please check if there is something 'unusual')If that all does not solve your problem: Can't you use port mirroring on your switch? If that does not work, you could buy a cheap switch with port mirroring, like one of these.
I can't see where you connected Wireshark to in your post. Did you connect it to the hub?
If so, please see my UPDATE above. What is the OS of the machine running Wireshark?
That really sounds like a problem with the capture filter. Did you use one of these capture filters?
or
If so, please replace it with
Hi Kurt,
Something is happening with the line breaks when I type pipes and line breaks, so my schemas don´t appear as you did. So, please imagine a vertical line connecting the Wireshark to the hub in the schemas below.
A - HUB - Switch - B
Wireshark
B - HUB - Switch - A
Wireshark
I changed some ports, but in any case only the segment A is flashing. So I imagine that all 12 ports belong to the same segment right now ? So is it working just like a flat hub would ?
I set the capture filter just to capture "tcp" packets, then I cleared it. Now I got no capture filter.
I am running Wireshark on Windows 7 Pro SP1.
I need to check this half duplex mode. This is an option on Wireshark, right ? I´ll see.
Kurt,
I couldn´t find where to set half or full-duplex on Wireshark and I searched about it. Then I met the article below. Isn´t that saying that hubs normally are half-duplex ? Emerson
http://www.markwilson.co.uk/blog/2008/11/using-wireshark-for-basic-packet-capture-and-analysis.htm
◦Hub – an inexpensive solution to copy all traffic to all other ports, including physical errors. ■Hubs are effectively repeaters. ■Beware that some hubs are really switches, labelled as hubs. ■Dual-speed hubs are actually switched between the 10 and 100Mbps networks – so the analysis device will need to operate at the same speed as the devices being monitored otherwise only broadcasts will be detected from devices running at a different speed. ■Advantages include: low cost, easy to install and readily availble; traffic can be sent to multiple monitoring ports. ■Disadvantages include: only half duplex; not fault tolerant and require breaking the link for installation.
O.K. seems to work as a 'real' hub then.
O.K. so not a problem with capture filters. I assume there are no display filters set either, right?
That's a setting of the network interface of your Wireshark PC. Go to the advanced properties of the NIC.
Right. I just wanted to check/eliminate those little silly things, one usually ignores/forgets ;-). Yes, the interface should be in half duplex mode.
So, where are we now?
Some more questions/actions:
Sorry, Kurt: it´s saying I don´t have reputation enough to award points. I just clicked on the "I like" buttons. Now I´ll take a look at your last suggestions.
But I don´t have a managed switch here. If nothing else works, I´ll have to consider that.
You can only award karma by
O.K. if your Wireshark system has two nics, you could build a bridge and attach A to one interface and the switch to the other interface. See the Capture Setup wiki. Otherwise you'll have to buy one of those cheap managed switches mentioned above. Alternatively, you can also run Wireshark on the server itself.
Hi Kurt,
Finally I got a managed switch (MikroTik RB250GS) to go on with my work.
I configured Port Mirroring so it should copy packets from Port 3 to Port 5. My printer is on Port 3 and my notebook with Wireshark on Port 5.
It worked - but partially.
If I do a PING command from my server to my printer, now I see these ICMP packets on Wireshark.
But when my server sends some commands to the printer, I can´t see these TCP packets. TCP packets are going in both directions, server-printer and printer-server, but I can´t see any TCP packet.
Do you have a idea on what´s happening ?
Thanks,
Emerson
Just to inform that I installed Wireshark on another machine and then I could see all the packets.
Now I´m trying to discover what´s wrong, but it´s something with my notebook. So I´m closing this question.
Many thanks Kurt,
Emerson
Did you ever try to run Backtrack on that machine (see my recommendation above)?
Not yet, Kurt. Maybe next week.
For those who are interested: this discussion is continued on the question "I see ICMP but not TCP packets (with managed switch)". Until now, not much progress has been reported.