This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not capturing packets from notebook

0

Hi. I got a TCP/IP hardware device (a printer) communicating with a Windows server. I want to monitor the packets between the printer and the server. During my tests, I kept a window running "ping -t" to be sure there was some activity (ICMP packets).

When I run Wireshark on this server, I see all the packets - TCP (commands and answers) and ICMP (ping). But I need to go to a company where I can´t install Wireshark on their machines. So I installed Wireshark on my notebook and plugged it on the same network, using the same subnet address. Promiscuous mode was on. But I couldn´t see any packet - TCP or ICMP. I started pinging from my notebook. Then I could see these packets from my notebook to the printer.

Instead of the notebook, I tried the same test from another server that was on the same subnet. Got the same results. Can´t see packets between printer and server. Just can see ICMP packets when I ping from my machine.

Shouldn´t I see all packets on the network ? What can be wrong ? Thanks.

asked 21 Dec '12, 09:24

emersony's gravatar image

emersony
0225
accept rate: 0%


One Answer:

1

Shouldn´t I see all packets on the network ?

no. Your switch will only forward packets to your laptop that are directed to it's MAC address, plus any broadcast/multicast.

What can be wrong ?

Your capture setup. Please read the following Wiki article.

http://wiki.wireshark.org/CaptureSetup/Ethernet

Implement the method that is most appropriate in your environment. In a corporate environment it is usually a TAP or a mirror port on the switch.

Regards
Kurt

answered 21 Dec '12, 09:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt, I´ll take a look at this article.

(21 Dec '12, 12:25) emersony

good luck.

(21 Dec '12, 12:43) Kurt Knochner ♦

Hi,

I´ve taken a look at the article Kurt told me and I found a hub here (SuperStack II PS Hub 40 - 3Com), so I tried the configuration explained at "Switched Media - Hubbing Out". But I only could see packets in one direction, from Host A to Host B.

I tried to invert the positions of the hosts, connecting Host A to the Hub and Host B to the Switch. But I got the same result as before: only saw packets from A to B.

In my case, Host A is a Hardware device (a printer) and Host B is a Server that sends commands to it. So in both configurations, I can´t see the commands sent by the server, only the answers sent by the printer.

What could be causing that ?

(Just an information, if this matters: this Hub works at 10Mbps (when I connect it to the switch, it flashes the yellow colour (10Mbps). The printer works at 100Mbps, and probably all the computers are using 10/100Mbps cards.)

Thanks, Emerson

(27 Dec '12, 16:22) emersony
1

That 'hub' seems to be not just a 'flat hub'. You can configure 'segments' on that hub (similar to VLANs on a switch).

http://bizsupport2.austin.hp.com/bc/docs/support/SupportManual/c02581797/c02581797.pdf

So your observation may be caused by the port configuration of the 'hub'. Did you try to change ports for A and/or Wireshark?

BTW: how does your setup look like now? Something like this?

  A (printer) -- HUB -- switch -- B (server)
                  |
                  |
              Wireshark

Did you use any capture filter? If so, please post them.

(27 Dec '12, 16:39) Kurt Knochner ♦

Hi Kurt,

Yes, my setup is like the schema you draw.

A - HUB - Switch - B | Wireshark

Later, I changed to:

B - HUB - Switch - A | Wireshark

and got the same results. Only can see packets from A to B, no matter if A is connected to the Hub or to the Switch.

In fact, this 'hub' has segments. I don´t know how to handle it. I will try to change some ports to see what happens, and any sugestions are welcome.

Many thanks again, Emerson

(27 Dec '12, 16:45) emersony
1

UPDATE: The PS 40 seems to have no segment switch, so the assumption I made above is void, if it is really a PS 40!

So, it is either a general problem with the hub or some problem with your wireshark system: wrong capture filter (like dst x.x.x.x), Wireshark system duplex mode (please check if there is something 'unusual')

If that all does not solve your problem: Can't you use port mirroring on your switch? If that does not work, you could buy a cheap switch with port mirroring, like one of these.

http://ask.wireshark.org/questions/13892/port-mirror-switch

(27 Dec '12, 16:51) Kurt Knochner ♦
1

A - HUB - Switch - B | Wireshark

I can't see where you connected Wireshark to in your post. Did you connect it to the hub?

If so, please see my UPDATE above. What is the OS of the machine running Wireshark?

Only can see packets from A to B, no matter if A is connected to the Hub or to the Switch.

That really sounds like a problem with the capture filter. Did you use one of these capture filters?

dst b.b.b.b

or

src a.a.a.a

If so, please replace it with

host a.a.a.a

(27 Dec '12, 16:53) Kurt Knochner ♦

Hi Kurt,

Something is happening with the line breaks when I type pipes and line breaks, so my schemas don´t appear as you did. So, please imagine a vertical line connecting the Wireshark to the hub in the schemas below.

A - HUB - Switch - B

Wireshark

B - HUB - Switch - A

Wireshark

I changed some ports, but in any case only the segment A is flashing. So I imagine that all 12 ports belong to the same segment right now ? So is it working just like a flat hub would ?

I set the capture filter just to capture "tcp" packets, then I cleared it. Now I got no capture filter.

I am running Wireshark on Windows 7 Pro SP1.

I need to check this half duplex mode. This is an option on Wireshark, right ? I´ll see.

(27 Dec '12, 17:11) emersony

Kurt,

I couldn´t find where to set half or full-duplex on Wireshark and I searched about it. Then I met the article below. Isn´t that saying that hubs normally are half-duplex ? Emerson

http://www.markwilson.co.uk/blog/2008/11/using-wireshark-for-basic-packet-capture-and-analysis.htm

◦Hub – an inexpensive solution to copy all traffic to all other ports, including physical errors. ■Hubs are effectively repeaters. ■Beware that some hubs are really switches, labelled as hubs. ■Dual-speed hubs are actually switched between the 10 and 100Mbps networks – so the analysis device will need to operate at the same speed as the devices being monitored otherwise only broadcasts will be detected from devices running at a different speed. ■Advantages include: low cost, easy to install and readily availble; traffic can be sent to multiple monitoring ports. ■Disadvantages include: only half duplex; not fault tolerant and require breaking the link for installation.

(27 Dec '12, 17:32) emersony
1

I changed some ports, but in any case only the segment A is flashing. So I imagine that all 12 ports belong to the same segment right now ?

O.K. seems to work as a 'real' hub then.

I set the capture filter just to capture "tcp" packets, then I cleared it. Now I got no capture filter.

O.K. so not a problem with capture filters. I assume there are no display filters set either, right?

I need to check this half duplex mode. This is an option on Wireshark, right ? I´ll see.

That's a setting of the network interface of your Wireshark PC. Go to the advanced properties of the NIC.

Isn´t that saying that hubs normally are half-duplex ?

Right. I just wanted to check/eliminate those little silly things, one usually ignores/forgets ;-). Yes, the interface should be in half duplex mode.

So, where are we now?

  • you have a 'real' hub (at least it looks like)
  • you should see the whole traffic, but you see only one direction
  • there are no capture/display filters causing that behavior, right?

Some more questions/actions:

  1. Can you please disable the Windows 7 firewall on the Wireshark PC, if it is enabled
  2. What about port mirroring on your switch?
  3. Can you download BackTrack Linux (http://www.backtrack-linux.org/) and run your Wireshark PC with that image (no installation needed). Start Wireshark on BackTrack. Do you see traffic in both directions?
(27 Dec '12, 21:22) Kurt Knochner ♦

Sorry, Kurt: it´s saying I don´t have reputation enough to award points. I just clicked on the "I like" buttons. Now I´ll take a look at your last suggestions.

But I don´t have a managed switch here. If nothing else works, I´ll have to consider that.

(28 Dec '12, 12:31) emersony

You can only award karma by

  • giving away your own karma (you don't have much karma as a new user)
  • clicking on the 'like' icon (15 karma points)
  • accepting the answer by clicking the checkmark icon (25 karma points)

But I don´t have a managed switch here. If nothing else works, I´ll have to consider that.

O.K. if your Wireshark system has two nics, you could build a bridge and attach A to one interface and the switch to the other interface. See the Capture Setup wiki. Otherwise you'll have to buy one of those cheap managed switches mentioned above. Alternatively, you can also run Wireshark on the server itself.

(28 Dec '12, 13:27) Kurt Knochner ♦

Hi Kurt,

Finally I got a managed switch (MikroTik RB250GS) to go on with my work.

I configured Port Mirroring so it should copy packets from Port 3 to Port 5. My printer is on Port 3 and my notebook with Wireshark on Port 5.

It worked - but partially.

If I do a PING command from my server to my printer, now I see these ICMP packets on Wireshark.

But when my server sends some commands to the printer, I can´t see these TCP packets. TCP packets are going in both directions, server-printer and printer-server, but I can´t see any TCP packet.

Do you have a idea on what´s happening ?

Thanks,

Emerson

(16 Jan '13, 14:18) emersony

Just to inform that I installed Wireshark on another machine and then I could see all the packets.

Now I´m trying to discover what´s wrong, but it´s something with my notebook. So I´m closing this question.

Many thanks Kurt,

Emerson

(22 Jan '13, 16:31) emersony

Did you ever try to run Backtrack on that machine (see my recommendation above)?

(22 Jan '13, 23:41) Kurt Knochner ♦

Not yet, Kurt. Maybe next week.

For those who are interested: this discussion is continued on the question "I see ICMP but not TCP packets (with managed switch)". Until now, not much progress has been reported.

(29 Jan '13, 10:26) emersony
showing 5 of 16 show 11 more comments