This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ethernet activity not seen by Wireshark

0

I have a USB-Ethernet adaptor connecting my Windows XP PC to an external device. Wiresharc (running on the same PC) sees all the activity I expect between the PC and the device. When both the PC and the device are idle (sending no Ethernet packets on that interface) I usually (but not always) see frantic, continuous activity on the adaptor (its lights are flashing), but Wireshark detects nothing.

Is there any way I can discover what's causing this activity?

asked 02 Apr '13, 01:41

Peter%20Robertson's gravatar image

Peter Robertson
15346
accept rate: 0%


2 Answers:

0

Is the external device a networking device (like a switch/router) etc? Does it have statistics for the interface? That help you determine if it is real traffic and not just a flashing LED. Wireshark must be in "promiscuous" mode (in the interface options) to be able to see traffic that is not orignated or a destination for the monitoring interface.

answered 02 Apr '13, 03:31

martyvis's gravatar image

martyvis
8911525
accept rate: 7%

It's a DSP that is idle; it is not a networking device. It's doing nothing, so there are no statistics. Wireshark is in promiscuous mode.

(02 Apr '13, 03:42) Peter Robertson

Wireshark (actually the pcap library) only will see packets that pass the physical layer. So there is "nothing to see" I expect.

(02 Apr '13, 03:51) martyvis

0

When both the PC and the device are idle (sending no Ethernet packets on that interface) I usually (but not always) see frantic, continuous activity on the adaptor (its lights are flashing), but Wireshark detects nothing.

That activity could be data on the USB bus that are not related to your networking traffic. To verify this scenario, add a switch between the DSP and the USB adapter. Then check if the activity LED of the switch blinks whenever the LED of the USB adapter does.

  • If yes: There is network traffic, and there is a reason why you don't see those packets in Wireshark (see below).
  • If no: There is no network traffic and the USB adapter LED might just indicate data on the USB bus.

If there is network traffic (switch LED) it could also 'damaged' network packets that are dropped by the USB adapter and thus don't make it to Wireshark. To verify this scenario, you could use a second laptop (plus a HUB, TAP or Switch mirror port) and monitor the traffic between the DSP and the USB adapter. If you see traffic on the line, but not on the USB adapter, you can check if the packets are possibly 'damaged' (however, the NIC of your second PC might also drop damaged packets).

Is there any way I can discover what's causing this activity?

Without knowledge about the internals of the USB adapter (what exactly triggers the LED), you can only guess. I think you can get that kind of information only from the vendor of the USB adapter.

Regards
Kurt

answered 02 Apr '13, 09:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%