This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to work around unicast messages

0

Hi I'm a newby and I'm trying to capture some information using Wireshark and I'm not able to see it. I've read through the FAQ page a couple of times and I believe my issue is with the actual messages I'm looking for. I have a very small network, one router, 2 3rd party products, and a laptop running the 3rd party application that communicates with the 2 products. I want to add a sniffer onto the network to see the communication between the application and the products. I believe MIBs are being transmitted using SNMP protocol and I basically can't see anything relating to the data on the sniffer. I see a lot messages but nothing related to the actual data. I'm assuming they are broadcast messages. Maybe there is a private community associated with the MIBs I'm looking for or maybe it's a unicast message. Wireshark appears to be configured in promiscuous mode running on my laptop (independent of the laptop in the current network). I don't know if my network interface into the network is my network card or the common router I'm connected to. Can I do something using wireshark in terms of its setup or operation to see these messages or am I out of luck because it is a proprietary messaging. I know it's not a specific question but any input would be helpful. Thanks

asked 05 Feb '16, 13:32

hockey5's gravatar image

hockey5
6112
accept rate: 0%


2 Answers:

0

I cannot see a reason why SNMP would use broadcast, so let's concentrate on the unicast messages. Also, I would assume that in such a simple network, the box between the laptop running the control application and the 2 devices is more likely to be a switch than a router, but it is not really important for the principle.

The principle is that if you want to see unicast traffic which is sent neither by nor to the interface you use for capturing, you must use a tap, a hub, or a switch with traffic monitoring capability to obtain a copy of the traffic and deliver it to the interface on which you are capturing.

Have you read this page? In your specific case, if you can capture on the laptop running the 3pty application, you don't need any additional hardware. If you cannot for any reason, you may still be lucky and the box you call "router" may be a manageable switch with monitoring capability, a router capable of taking traffic captures or, much less likely, a hub. In any other case you'll have to obtain additional hardware.

Only after capturing the traffic between the control laptop and the devices (which you recognize by source and destination IP addresses) you'll be able to see whether SNMP or some other protocol is used between them.

answered 05 Feb '16, 14:18

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

0

You don't indicate whether your network is Ethernet or Wireless, you should read the appropriate Capture setup page for Ethernet or Wireless.

Presuming you have Wireshark installed on the laptop running the application you should be able to capture traffic on the appropriate NIC for the products.

answered 05 Feb '16, 14:24

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%