This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot capture l2tp packets using wireshark on windows 7 PC

0

Hi all,

I have one problem, I cannot capture l2tp packets using wireshark on a Windows 7 machine.

Can you please help me ?

Kind regards, Christos

asked 23 Sep '13, 06:51

ctsalidis's gravatar image

ctsalidis
11113
accept rate: 0%

There shopuld be no diffrebce between Win7 and any other OS Wireshark runs on with regards to L2TP, it may be a problem with your capture setup or the farmes recived. Can you elaborate on your problem?

(23 Sep '13, 08:42) Anders ♦

Maybe he tried to capture on the virtual adapter created by the l2tp client on Windows, which would not work due to WinPcap limitations.

(23 Sep '13, 09:28) Kurt Knochner ♦

Actually what I am doing is the following, I use mirroring to forward all the inbound and outbound packets of the router appliance to a specific port where my computer is connected, although I can receive a lot of packets, as BGP, LDP and others I cannot receive l2tp traffic. It makes sense that these packets somehow are discarded on my ethernet interface but I do not know why. I have additionally configured jumbo frames for my interface but nothing.

Any idea ? I am thinking to install a linux OS and give it a try.

(23 Sep '13, 12:10) ctsalidis

Can you please add more details about the infrastructure?

Does it look like this?

L2TP Client --- Internet ---- Router ----- Switch ----- L2TP Server
                                             |
                                             |
                                        Wireshark

If so, I wonder why you see BGP (on the internal side). If the infrastructure is different, please correct my ASCII art.

(23 Sep '13, 13:58) Kurt Knochner ♦
        LNS ..... Router ....... LAC......L2TP Client
         .
         .
        Laptop
(23 Sep '13, 14:19) ctsalidis

I use mirroring to forward all the inbound and outbound packets of the router appliance to a specific port where my computer is connected

The image above does not match your statement. So, what exactly are you mirroring and where?

(23 Sep '13, 14:58) Kurt Knochner ♦

I mirror the LNS towards the Router interface to the port where my laptop is connected.

(23 Sep '13, 15:01) ctsalidis

I cannot see mpls and l2tp packets. Only IP, TCP, LDP, BGP and maybe some more.

(23 Sep '13, 15:02) ctsalidis
1

Only IP, TCP, BGP

O.K. some questions:

  1. Any idea why you see BGP on your internal network?
  2. the IP/TCP traffic you see, is that full conversations of other systems or just broacast/multicast?
  3. the traffic you see, is that bidirectional (traffic in both directions)?
(23 Sep '13, 15:42) Kurt Knochner ♦

Hi Kurt, to answer your questions.

  1. The above network is a testing network where, where we run BGP as well.

  2. The TCP traffic are always full conversations

  3. And I can see it is on both directions.

I suspect that it should be something on my interface card, can it be the drivers ?

(23 Sep '13, 15:56) ctsalidis
1

I suspect that it should be something on my interface card, can it be the drivers ?

well, I don't think so. Why should the system drop l2tp traffic that is not directed to itself.

Anyway, just to rule that out, please remove the IPV4 binding of the sniffer interface on the PC - don't do that via RDP ;-)

Control Panel\Network and Internet\Network Connections

Interface Properties -> Remove the checkmark for TCP/IPv4

Then capture another session and check the results.

(23 Sep '13, 16:17) Kurt Knochner ♦

Ok I will give it a try at the morning and then I will let you know! Anyway I would like to thank you for your time and effort :)

(23 Sep '13, 16:20) ctsalidis
1

Ok I will give it a try at the morning and then I will let you know!

any difference?

(24 Sep '13, 08:20) Kurt Knochner ♦

I hadn't the chance to do the testing today however I will try to do it tomorrow in case I will some free time :D I will let you know as soon as I will do it!

(24 Sep '13, 15:28) ctsalidis
showing 5 of 14 show 9 more comments

One Answer:

0

I use mirroring to forward all the inbound and outbound packets of the router appliance to a specific port where my computer is connected

I suspect your mirroring configuration is not working as you expect (instead of the capture laptop dropping the L2TP frames). On which device do you do the mirroring of the traffic? On the LNS? On the router? On a switch in between the LNS and the router?

Could you provide details on the mirroring setup and the brand/type of the device on which you do the mirroring?

Assuming you are not using a switch between the LNS and the router (as it was not in your drawing), are you able to insert a switch in between the LNS and the router and perform the mirroring on the switch?

answered 26 Sep '13, 00:22

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%