I have a USB-Ethernet adaptor connecting my Windows XP PC to an external device. Wiresharc (running on the same PC) sees all the activity I expect between the PC and the device. When both the PC and the device are idle (sending no Ethernet packets on that interface) I usually (but not always) see frantic, continuous activity on the adaptor (its lights are flashing), but Wireshark detects nothing. Is there any way I can discover what's causing this activity? asked 02 Apr '13, 01:41 Peter Robertson |
2 Answers:
Is the external device a networking device (like a switch/router) etc? Does it have statistics for the interface? That help you determine if it is real traffic and not just a flashing LED. Wireshark must be in "promiscuous" mode (in the interface options) to be able to see traffic that is not orignated or a destination for the monitoring interface. answered 02 Apr '13, 03:31 martyvis |
That activity could be data on the USB bus that are not related to your networking traffic. To verify this scenario, add a switch between the DSP and the USB adapter. Then check if the activity LED of the switch blinks whenever the LED of the USB adapter does.
If there is network traffic (switch LED) it could also 'damaged' network packets that are dropped by the USB adapter and thus don't make it to Wireshark. To verify this scenario, you could use a second laptop (plus a HUB, TAP or Switch mirror port) and monitor the traffic between the DSP and the USB adapter. If you see traffic on the line, but not on the USB adapter, you can check if the packets are possibly 'damaged' (however, the NIC of your second PC might also drop damaged packets).
Without knowledge about the internals of the USB adapter (what exactly triggers the LED), you can only guess. I think you can get that kind of information only from the vendor of the USB adapter. Regards answered 02 Apr '13, 09:30 Kurt Knochner ♦ |
It's a DSP that is idle; it is not a networking device. It's doing nothing, so there are no statistics. Wireshark is in promiscuous mode.
Wireshark (actually the pcap library) only will see packets that pass the physical layer. So there is "nothing to see" I expect.