Networking is outside of my wheelhouse so I thought I'd see if I could find some help here. Device "A" is sending out data over ethernet/IP. Device "A" is not set to unicast so I assume that means it is multicast or broadcast. Device "B" is listening to device "A" and always collects the data output from device "A". Device "C" is also listening to device "A" and usually collects the data from device "A", but occasionally does not collect any data as though device "A" never sent anything. But, I can verify that device "A" did send data by looking at the memory registers in device "B". I need some advice on the best way to configure wireshark to detect what is going on here. Thanks asked 20 Mar '14, 06:24  mitsubishi47591 |
One Answer:
What do you mean by "Device "A" is not set to unicast"? If device A is a typical device, it only sends certain packets as Ethernet broadcast, such as ARP requests, DHCP requests, various discovery protocols, etc. But most packets will be sent unicast, namely to the Ethernet destination MAC address of the remote device it resolved the IP to, or the local gateway/router's MAC. (in either case, something it learned from ARP typically) So assuming you can't run Wireshark directly on Device A or Device B, which would be the best thing to do, instead you can run it on Device C or some other PC. The "trick" is connecting that Device C or PC to the network in such a way that it sees the unicast packets. Connecting it to a normal Ethernet switch port, for example, won't do it since the switch only sends a unicast packet out the port it needs to go to. So you need to either use an old-school repeater/hub, or if your ethernet switch supports a monitor port then using that. (there are various other hacks possible, but those two are the easiest) Or are you using some protocol that specifically sends broadcast or multicast IP/Ethernet packets? (there are such protocols, but they're not common) answered 20 Mar '14, 08:50  Hadriel |
I've cleared up some of my personal ignorance today, but I still have a long way to go. What I should've said was that "Device A" has 1 "master" and 1 "listen only" connection. "Device A" outputs data when polled to do so. I'm assuming that both the master and the listen only connection can poll the device, but the master and the listen only connection are time synced with each other and have the same RPI which means they both poll "Device A" at the same time (I don't know if that's good or bad). Devices A, B, and C, don't support wireshark, so I'll be connecting a PC to the network to get a network capture. There is a managed switch between "Device A" and "Devices B and C", but I'm not sure if there is a monitor port or not. So when setting up wireshark, do I use my computers LAN port IP address, or would I set it to the address of "Device C"?
I don't know what you mean by the first part of your comment. But to answer the last sentence, no you do not set it to the address of Device C. Wireshark runs in promiscuous mode, meaning it will capture+display whatever packets arrive at the PC running Wireshark, even if their destination MAC/IP does not belong to the PC running Wireshark. (there are some situations where Wireshark cannot run in promiscuous mode, but I'll ignore that for sake of brevity :)
The point of using a switch monitor port, or old-style repeater, is to get Ethernet packets that have a unicast destination address of something else, to arrive at the PC running wireshark as well.
In the switch monitor port scenario, that happens because the switch copies all Ethernet packets to the monitor port, so they can be monitored by tools like Wireshark (hence the name "monitor port").