This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I see ICMP but not TCP packets (with managed switch)

0

Hi,

I was trying to see packets from a server to a hardware device (a printer), but I was told it would not work on a switched media unless I tried some of the configurations explained on http://wiki.wireshark.org/CaptureSetup/Ethernet

So I got a managed switch (MikroTik RB250GS), as recommended and configured Port Mirroring to copy packets to/from Port3 (where I connected my printer) to Port5 (where I had my notebook with Wireshark).

Now I can see one result that I couldn´t see before.

If I do a ping from the server to the printer, I can see the ICMP packets captured by Wireshark.

But if I send a command from the server to the printer, I can´t see the TCP packets. I also can´t see the answers from the printer to the server. But they are surely being sent, because the printer is working as it should.

I am not using caspture filters on Wireshark. I am only using a display filter to show packets with ip.addr == (the IP address of the printer).

Can anyone tell me what can be happening on this case ?

Thanks,

Emerson

asked 17 Jan '13, 11:27

emersony's gravatar image

emersony
0225
accept rate: 0%

Are you sure you put your NIC into promiscuous mode? Either by using the "capture all in promiscuous mode" or by double clicking on the interface and using the "capture in promiscuous mode"?

Given that you can see the ping packets, I would think so, but thought I'd ask just in case.

(18 Jan '13, 20:14) hansangb

Yes, it´s working on promiscuous mode. Thanks.

(21 Jan '13, 15:16) emersony

2 Answers:

1

You might be running software on your laptop that interferes with the capturing process. Some exmples:

  • VPN clients
  • Host based firewalls
  • Anti virus software

Have a look at http://wiki.wireshark.org/CaptureSetup/InterferingSoftware for more detailed information.

answered 20 Jan '13, 01:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

There´s no firewall, then I disabled the antivirus, but nothing changed. Thanks.

(21 Jan '13, 15:17) emersony

I did some experiences, and got a lot of strange results.

I can see some TCP packets for few seconds, since the moment I turn on the printer and it connects to the server. I see SYN/ACK packets during it´s connecting, and then the first PSH packets when I send some print commands to the printer.

2 strange things happen:

a) Unidirectional

I see all these packets just (SYN and PSH) in one direction - from printer to server. Never saw one TCP packet from the server to the printer.

b) Does not last much time

But if I wait some seconds and try to send these commands, I can´t see them anymore on Wireshark. Why should Wireshark stop showing packets after some time ??

With ICMP packets:

When I do a ping from the server to the printer, I also see ICMP packets in one direction - now, from server to printer. It´s unidirectional and also lasts some time - later I started pinging again and it stopped appearing on Wireshark.

If I do a ping from my notebook to the printer, I see ICMP packets in both directions, and this lasts forever.

(21 Jan '13, 15:30) emersony
1

Still sounds like interfering software to me. Can you try with another laptop or by running a Linux Live CD on the laptop (like BackTrack for instance)

(21 Jan '13, 15:37) SYN-bit ♦♦
1

Is it possible that you have a LAN connection and a Wifi connection? Maybe you are multi-homed? Can you try capturing on all interfaces?

(21 Jan '13, 22:26) hansangb

SYN-bit,

In fact I captured all the packets using another machine. There´s something wrong with this laptop.

There are a lot of things installed on it. It seems that disabling the antivirus and the firewall was not enough.

Many Wifi networks are shown. In some of them, there is the identification of "VPN" (but not Cisco or SonicWall, as reported on the article you recommended). But they may be interferring anyway.

Now I start to hunt what´s wrong with my laptop. Should I open a new question or can I keep this question open ?

Many thanks,

Emerson

(22 Jan '13, 16:22) emersony

Yes hansangb, I got LAN and Wifi connections but all the packets are coming via the LAN connections. Anyway I´ve already tried capturing on all interfaces. Thanks.

(22 Jan '13, 16:24) emersony

@emersony, you can keep this one open. Good luck finding the interfering software. When you do find it, could you also update the Wireshark wiki for future reference to others running into the same problems?

(22 Jan '13, 23:43) SYN-bit ♦♦

Ok SYN-bit, Now it can take some time, because this question lost priority. At the same time, I had a problem with my Windows - needs reinstallation. But I tested with another laptop from another person (same model and almost the same softwares - they´re installed by our company) and it showed the same problems. Surely there´s something wrong with the softwares. If I discover what was wrong I´ll tell what happened. Thanks.

(28 Jan '13, 11:37) emersony
showing 5 of 8 show 3 more comments

0

As we have already discussed this issue in another question

http://ask.wireshark.org/questions/17137/wireshark-not-capturing-packets-from-notebook

I would like to remind you to run Backtrack Linux on the machine that makes trouble (see my comments in the other question) and check if that works. If so, it's (most certainly) a problem with any additional software on the laptop/machine.

Regards
Kurt

answered 22 Jan '13, 23:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Ok Kurt / SYN-bit,

I didn´t do because I can´t download BackTrack at my company. I´ll do that later and test when my Windows is reinstalled. Thanks.

(28 Jan '13, 11:41) emersony