I have difficulty to see all the traffic on Wireshark app when I use USB 3.0 to ethernet adapter on my windows 7 64bit machine. I am using usb 3.0 with Realteck RTL8153-VB chipset. My usb winpcap version is 4.1.3 and Wireshark version of 2.2.2. I have USBPcapCMD.exe plugin also. The issue is when I do traffic capture I see some of the traffic that I am expected to see but not all of the protocols. For instance; I do traffic capture on a VOIP device (IP phone), I am expecting to see SIP & RTP protocols traffic, but I don't see those. I see TCP, UDP, ICMP, some others but not the one I have mentioned. To rule out if the OS has nothing to do with my issue, when I switch to my on-board NIC I can see all the traffic that I am expected see but not using USB NIC. I have contacted the USB chipset manufactor (Realtek) regarding this issue and they instructed me on how to add a piece in their chipset driver files to manually enable promiscuous mode which I did. In fact, that I see some TCP, UDP traffic on my capture it tells me the chipset does what it needs to do, but it looks like there is another piece that I am missing on my whole set up. Would you please help me with this issue? thanks, Robert M. asked 13 Dec '16, 18:11  robertmi edited 14 Dec '16, 13:14  Guy Harris ♦♦ showing 5 of 15 show 10 more comments |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
So are you using USBPcap to capture raw traffic on your USB bus, or are you just capturing on an Ethernet adapter that happens to be attached to your machine via USB? The latter doesn't involve USBPcap - it's no different from capturing on a network adapter on the machine's motherboard, for example.
If you're just capturing on the USB Ethernet adapter as a regular network adapter, are you plugging the USB Ethernet adapter into the same port as the one into which you're plugging the onboard Ethernet NIC?
Hi Guy Harris, I don't use USBPcap to do the traffic capture, I use USB Ethernet adapter that is attached to my machine via USB. When I run Wireshark application I choose the USB Ethernet adapter NIC as the source of traffic and then start the capture. Regarding you next question; if you meant that I connect the USB adapter to the same network switch port where I connect my on-board Ethernet NIC, the answer is "yes". So basically, there is no issue on the network switch port configuration side for sure because I use the same port, the issue is on my machine. I don't know if anybody has tried yet to do traffic capture using USB 3.0 Ethernet adapter on a Windows machine and what was the outcome.
Thanks, Robert M.
When you capture with the USB Ethernet adapter, do you see any traffic that's not broadcast or multicast traffic and that's not being sent to or from the machine doing the capturing?
when I do traffic capture I see traffic sourcing and destining from my test IP phone (the switch port that my IP phone is connected is monitored by the switch and mirrored to my mirror port), but not the traffic that I am expecting to see which are SIP & RTP protocols. My machine can't talk to the outside network due to switch limitation.
OK, so:
Yes, you are correct.
I assume you're doing the same thing with the phone in both cases, making a call.
Could you put short captures from both scenarios up on some Web site (Cloudshark, Dropbox, etc.) and post links to both of them in a comment (not an answer - answers are for actual answers to questions, not for replies to questions asked in a comment)? Perhaps the USB adapter is somehow mangling the SIP and RTP packets in ways that make them unrecognizable as SIP or RTP.
Yes, I do. Yes, I can do short capture of both cases and put them on Dropbox and provide you with the links.
I just put the link to both traffic capture on my previous post for your review.
https://www.dropbox.com/s/uizsg0z935o9eyl/traffic%20capture%20using%20on%20board%20Ethernet%20NIC.pcapng?dl=0
https://www.dropbox.com/s/6jhi3qkq6rbv1ss/traffic%20capture%20using%20USB%20Ethernet%20adapter.pcapng?dl=0
Well, that's odd. Some traffic to and from the phone (IP address 172.16.200.30) shows up only in the USB Ethernet capture and some shows up only in the onboard Ethernet capture. The additional packets in the USB Ethernet capture may be there because that capture ran for a longer period of time (2 minutes 45 seconds, rather than 33 seconds).
So the phone works regardless of whether the machine on which you're capturing the traffic is plugged into the switch or not - or whether it's plugged into any network at all or not - and on whether, if it is plugged in, you plug the on-board or the USB Ethernet in?
The capture with USB adapter is bigger because the phone contacted our provisioning servers; so has more traffic, but when you filter by SIP you don't see a packet. Versus, when you look at the other capture which is done with on-board NIC you see all SIP & RTP and also TCP from phone to our provisioning servers (208.75.8.28 & 64.47.12.15) and also some ICMP packet and some DNS, NTP.
Yes, the phone works just fine and I don't have a problem with the IP phone. I use my machine in our lab environment where I need to do traffic capture with my USB adapter and get all the traffic in/out of the IP phone which I can't. You might ask why I don't use my on-board NIC to do the capture. The answer is that since this is a lab environment I have multiple VLANs set up on our network switch which only my on-board NIC (Intel brand) is capable to be set up with multiple VLAN, but not with the USB adapter. And on other hand the machine is a "Intel NUC" which is one of the smallest machine on the market which comes with one on-board NIC, so I forced to use USB adapter as my second NIC to do only traffic capture which I face this problem. I hope all make sense to you. I know that my last option is to replace the Intel NUC machine with a desktop that has multiple on-board NIC, but I want to first find out if I can fix the issue with the USB adapter before I move to the option of replacing my machine.
Thanks, Robert M.
So is the phone on a VLAN, or is it just sending raw Ethernet packets?
If it's on a VLAN, can the USB adapter be configured not to be on a VLAN at all, and to capture all packets on all VLANs as well as non-VLAN packets, with packets on a VLAN captured with the VLAN headers left on rather than being stripped off?
The IP phone is on a VLAN (voice vlan). Regarding USB adapter, when the USB is connected to the mirror port of the switch, the switch dumps everything from the monitor port (traffic from all VLANs on that port) and the mirror port on the switch can't be member of any VLAN. The USB has the feature to be set on a specific VLAN (I guess as tagged, I don't know I need to test this). But please note, in the traffic capture using USB adapter I see my IP phone talks to our provisioning servers (using TCP protocol https, tlsv1, so this it telling me that it is not a problem with the VLAN, if it was it wouldn't show any traffic in/out of my IP phone, right? I will test with setting up the USB adapter with the voice vlan to see what the outcome will be.
Thanks, Robert M.
I have set the voice VLAN ID on the USB adapter setting but with no luck, still I can't see SIP & RTP traffic. I have actually played with all of the USB adapter's advance settings with no luck. At this point something is either with the USB adapter itself or the Windows OS setting to the regards to USB adapter settings on my machine. Do you can think of a way to see what the USB adapter is sending to the Windows OS before the OS passes it to the Wireshark application? If there is way, then we can narrow down if the issue is indeed with the USB adapter or with Windows OS.
Thanks, Robert M.
You could try capturing on the USB bus with USBPcap and see what USB traffic goes between the adapter and the host.