Hi, I have a test setup which looks like this. IXIA (Packet generator) -> DUT (2 port switch) -> Wireshark (PC) IXIA transmits a unicast packet which is received by the DUT port1 and sent out on port 2 to Wireshark . The wireshark packet capture doesnt show up this packet. If I replace wireshark with IXIA, IXIA shows this unicast packet being captured. When I do a netstat -e on the PC which is running wireshark it shows the unicast frame counter (received) being incremented, but I still dont see this packet on the wireshark capture. I had initially set the capture filter to capture on ethertype , but even when this capture filter is removed I dont see any thing on the wireshark capture . Any thoughts on what could be happening here? asked 27 Aug '14, 05:15  Prasanna edited 27 Aug '14, 22:12  Guy Harris ♦♦ |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
A few thoughts:
What is the destination mac address for the packet being sent?
Is there a mac table entry on the switch for that destination mac, and if so what port is it associated with? If not it should get flooded out of all ports assuming your switch works like a regular one so wireshark should see it?
Is promiscuous mode enabled in the wireshark capture options?
Does wireshark capture broadcasts / multicasts?
The dst mac address is 18 03 73 20 0f d9 . This is the mac address of the PC on which wireshark is running ? I did not understand what you meant by which port is it associated with ?
Promiscuous mode is enabled in wireshark .
Wireshark captures broadcast packets only. It does not capture either unicast or multicast packets.
On many switches you can display the mac table. This shows switch port numbers and the mac addresses the switch has seen on each port.
You put a question mark after stating that the mac address is that of the pc. Is that because you assume that the dest mac is that of the pc or have you actually seen it in a trace taken at the IXIA?
When you set up the IXIA do you configure the packet as an ip packet. If so, how is ARP handled? Does the IXIA generate an ARP to resolve the IP address of the PC to its MAC address or do you have to enter preconfigure the dest mac or the ARP cache?
Sorry for so many questions.
Best regards...Paul
I think the cuplrit was the anti virus software which was installed on the PC. Once this was removed wireshark is able to capture packets correctly .
Thanks for all the answers.