This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not Seeing the EAPOL return traffic from switch

I'm capturing the initial EAPOL traffic between the supplicant and the switch but the return EAP traffic are not reported by Wireshark. The workstation port is SPAN to send traffic to a laptop with Wireshark 1.12.6. The monitor session is set for both direction. I would expect to see the return traffic for the request and Success but not seeing it Wireshark. The destination is shown as "Nearest: with MAC of 01:80:c2:00:00:03 which shown as static CPU. Any ideas?

Client---------------->Nearest # Start Client---------------->Nearest # Response,Idendity Client---------------->Nearest # Client Hello Client---------------->Nearest # Response, TLS EAP (EAP-TLS) Client---------------->Nearest # Certificate, Client Key Exchange, Certificate Verify, Change Cipher, Encrypted Handshake Client---------------->Switch # Response, TLS EAP (EAP-TLS)

eapol

asked 01 Jul '15, 13:14

ub40
1●1●1●1
accept rate: 0%

Did you try to capture packets at the supplicant or server?
Are you seeing the complete security exchange at one endpoint (i.e., supplicant and/or server)?
Did you try using another port on the switch as a mirror port?

(02 Jul '15, 07:42) Amato_C

One Answer:

0	My guess would be that the SPAN isn't providing the authenticator packets for the capture port. Try to setup the capture differently. answered 02 Jul '15, 04:37 Jaap ♦ 11.7k●16●101 accept rate: 14%