This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Only seeing originating side of conversation

0

I am trying to get a trace from a Cisco 3750 using a port monitor. I am only seeing the originating side of any conversation. It doesn't make a difference if the device that is attached to the source switch port is originating the conversation or is the destination. Ex. When I ping this device or ping from this device, I only see the ICMP ECHO request. I never see the reply, even though the devices can PING each other. I have removed and reinstall Wireshark and Winpcap.

Here is my monitor config from my switch: monitor session 1 source interface Gi2/0/19 monitor session 1 destination interface Gi2/0/24

asked 10 Feb '11, 08:45

flrdr's gravatar image

flrdr
16112
accept rate: 0%

My first thought was that the monitor session was setup only mirroring either incoming or outgoing frames, but if you never see the ICMP ECHO reply no matter if the mirrored port is sending or receiving it this can't be the case. Which is kinda strange, I have to admit.

Does the device at Gi2/0/19 have more than one network card maybe? Maybe an active Wireless card, and you have a asymetric conversation using two interfaces?

Is the other device in the same subnet, or is there a router involved? If so, what happens if you ping a device in the same subnet?

(10 Feb '11, 09:49) Jasper ♦♦

The device on G2/0/19 only has one NIC. I see the same results pinging within the same subnet. I also tested to other ports with test PCs (1 NIC) with the same results. It appears that the problem is with my laptop or with the Wireshark options. I loaded Wireshark on a new Win7 laptop, and the captures works OK. The real strange thing is - If I use the "bad" laptop to sniff it's own traffic, I can see both sides of the conversation. When I use it to sniff the monitor port, I only see the originator's side. Any ideas on what could be causing this? Any help is greatly appreciated !!

(11 Feb '11, 09:33) flrdr

2 Answers:

1

I was able to determine that a Check Point VPN client (SecureClient) that we run on our laptops was causing the problem. I tried disabling the Check Point services and the security policy, but that didn't help. I had to completely remove the VPN client and wireshark runs just fine.

answered 14 Feb '11, 08:40

flrdr's gravatar image

flrdr
16112
accept rate: 0%

Good thing you found what caused the trouble, and probably worth keeping in mind. I myself avoid installing the Cisco VPN client for similar reasons :-)

(14 Feb '11, 14:07) Jasper ♦♦

0

Looks like your "bad" laptop has a faulty NIC that doesn't "like" all the frames coming in. The last thing I would check if you have a duplicate MAC address in your network (for example, the "bad" laptop having the same as the device on G2/0/19). Duplicate MAC addresses are very hard to spot unless you're suspecting it, and can lead to network behavior that seems to be random at best.

Otherwise I think it's either the hardware or the OS being "on the fritz" or both.

answered 11 Feb '11, 09:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I don't think that it's hardware. The laptop works fine except when using wireshark. Also, it can sniff it's own traffic OK. When it's just listening to a monitored swith port, it's MAC address shouldn't have much to do with it.

(11 Feb '11, 10:06) flrdr

Okay, it was just a thought :-) If the hardware is working fine then it must be a software problem. Next thing I would check if the same hardware booted into a Backtrack or Ubuntu live CD has the same trouble.

(12 Feb '11, 03:32) Jasper ♦♦