This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark not capturing unicast frames in promiscuous mode

0

Hi,

I have a test set up in which my test board is connected to a machine on which Wireshark is installed. I see that my unicast (and multicast) frames are not captured by the Wireshark. However, all my broadcast frames are captured properly by it. Please let me know whether there is any setting particular for unicast or multicast frames so that they are captured. I do believe that the crc for the unicast and multicast frames are correct because i had the same test setup connected to an ixia and have seen that ixia is collecting and reporting those frames. So i think we can drop the possibility of my nic dropping packets with wrong crc (unless it drops for some other reason).

I have promiscuous mode enabled for my interface. Is there a way to ensure that the promiscuous mode of the Wireshark is active on Windows 7 and it is not overridden (overridden by administrative rights)?

I would also like to know the scenarios where in my nic will drop the frames apart from erroneous crc.

Please also note that am not using any capture filters

Any help is appreciated!!!

asked 07 Apr '14, 04:16

Hafiz219's gravatar image

Hafiz219
1223
accept rate: 0%

edited 07 Apr '14, 04:24

This is on Ethernet, not Wi-Fi, correct? (Promiscuous mode does not work very well at all on Wi-Fi adapters on Windows.)

(07 Apr '14, 20:00) Guy Harris ♦♦

How exactly is your test board connected to the PC?

Do you see the frames if you run Wireshark in non-promiscuous mode?

(07 Apr '14, 22:25) Kurt Knochner ♦

@Guy Harris: Yes, my test is on ethernet and not on wifi.

(07 Apr '14, 23:21) Hafiz219

@Kurt: I tried with non-promiscuous mode setting and still am not able to capture the unicast frames. However, am still able to capture broadcast frames. The test board is connected to the PC via an ethernet cable. I have also tried connecting an ixia to the PC with Wireshark and pumping packets directly to PC.

(07 Apr '14, 23:46) Hafiz219

2 Answers:

0

Generate some traffic and in the Windows CMD type "netstat -e" several times to see which counter increases. If you see no discards, no errors and the unicast counter is increasing, try MS Network Monitor and check if it captures the traffic. Also try disabling any endpoint security software you may have installed.

answered 07 Apr '14, 12:42

Roland's gravatar image

Roland
7642415
accept rate: 13%

Thanks Roland for the suggestion. I tried using the netstat -e option. So whenever i pump packets from an ixia or my test board the unicast packet count is incremented. I do not see any discards or errors. However, the observation is that the unicast packet count increments by a multiple of 4. For example, if i sent 10 frames, the unicast frame count increases by 40. If the number of frames sent is 100, the unicast frame count increases by 400 and so on.... Is this the expected behavior? Can i assume that my nic is not dropping any of the incoming unicast packets since my unicast frame count is incremented?

(08 Apr '14, 00:10) Hafiz219

The behaviour is expected but I don't know why it does that. If you don't see errors or discards it is safe to assume that the NIC is not dropping the packets. Have you tried Network Monitor?

(08 Apr '14, 11:45) Roland

Roland, I haven't tried the Network Monitor yet. But i had tried disabling the endpoint security software that i was running. I still do not see unicast frames captured by wireshark.

(09 Apr '14, 06:18) Hafiz219

0

The test board is connected to the PC via an ethernet cable

Sounds like your test board is either not doing ARP or it is doing it in the wrong way. Do you see any ARP requests in Wireshark?

Regards
Kurt

answered 08 Apr '14, 22:11

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt, I do see ARP request in Wireshark. But the source for ARP requests is the machine running wireshark itself. Am now connecting ixia directly to the machine running wireshark. Is there anyway to ensure that the ARP is done correctly? Is it possible to turn off the address resolution? If so, can you please let me know how to do that?

(09 Apr '14, 06:16) Hafiz219

Is there anyway to ensure that the ARP is done correctly?

sure, post the capture file somewhere (google drive, dropbox, cloudshark.org) and we will tell you. Please add information about your environment here, like:

  • MAC and IP of the test board
  • MAC and IP of the PC
  • how is sending and who is receiving data

Is it possible to turn off the address resolution?

On your test board? I don't know! Please ask the vendor. However, it would not make much sense to disable that!

On you PC? Well, you can't disable just ARP on Windows, at least I don't know a way how to do it, and it wouldn't make much sense, as you would not be able to resolve the MAC address of the 'other' side.

You can however set a static ARP entry. See arp -h (you would need option -s).

(09 Apr '14, 13:58) Kurt Knochner ♦