Hi, New user, lost in filters. I have some hardware connected to the internet. The hardware is sending out an NTP request and is certainly getting a response because the time stamp is correct. But I can't find the packets in the WireShark capture. My hardware is at 192.168.1.86. I thought I could just set a filter of ip.addr==192.168.1.86. I do see a broadcast to the board and a UDP reply, plus MDNS packets, but nothing that would be going to the NTP server. I have debug messages coming out of the hardware so I know the NTP request is going out. What am I missing? More details: I posted a related question a couple of months ago about capturing WiFi packets. I was told then that WiFi didn't work under Windows. The hardware is still WiFi (only). I am connecting to it through a WiFi access point. It's address is .89. The access point connects to a hub which then connects to a 2Wire router to the internet. The PC running WireShark is connected to the same hub as the access point and the router. So it seems to me that every packet going into or out of access point should be visible to WireShark. But either that's not true or I still am not filtering correctly. Any ideas that can get me jump-started? Thanks, Dave asked 26 Jan '17, 23:40  djw showing 5 of 19 show 14 more comments |
One Answer:
Success! I wish I could say why it wasn't working. In the end, I decided to reset the switch to factory defaults. When I did that, it timed out. So I reset the switch and tried again. Same thing. So I reset again. I then connected my PC via WiFi in addition to the wire, using the old password installed before the factory default. That worked, indicating the factory default did not work. And then I was able to capture data. Apparently the switch was in a mode it wasn't happy with. Maybe when I turned VLAN on then off I should have rebooted? I don't know, and there's not enough in the switch manual to say. Bottom line is, WireShark IS working and apparently I am capturing packets correctly now that the switch is working too. I'll post again if I have anything else to add. Thanks to all (ESPECIALLY cmaynard) for your help and patience. Dave answered 31 Jan '17, 11:36 djw Glad you got it working. (I converted your comment to an answer, as it looks like restoring the factory defaults or simply resetting the Netgear GS108Ev3 was the solution.) (31 Jan '17, 11:42) cmaynard ♦♦ |
is that the only network interface in your system?.
Have you tried to force the ntp update meanwhile you're capturing traffic?
"The access point connects to a hub.. " I doubt you have a true hub, since you seem to only capture broadcast and multicast traffic. Get a switch with a real monitor port instead. See the wiki for more details.
My expertise is in embedded systems, not networks. THANKS for the help!
After booting the embedded side, it connects to my WiFi access point, then connects to an NTP server and gets a new time stamp. It then waits 10 minutes and tries to get a new NTP time stamp. This always fails and it retries forever. This is the actual problem I'm trying to capture with WireShark.
Yes, I don't have a hub. But I did buy and install a new Netgear GS108Ev3. It's an 8 port switch with mirroring capability.
Let me explain my network. Cable box with internal hub and WiFi. Ethernet to other switches and devices, wired and wireless. Ethernet to the new Netgear switch. That switch connected only to a WiFi access point which my embedded hardware connects to, and a wire to my PC running WireShark. Nothing else is on the new switch. My understanding (wrong?) is by isolating the embedded hardware WiFi to the access point, and the access point to the switch (to the cable box), with mirroring on the access point, I'd be able to see what the embedded hardware is sending/receiving from the access point.
My access point is plugged into port 6, my PC running WireShark in port 4, and port 1 plugged into my cable box hub. I also created virtual LANs on the switch, 1 on ports 1-4 and 2 on ports 5-8. I did this because I ran the tests below and it didn't work, so I created the virtual LANs to make sure that the mirrored port wasn't somehow interfering with the port to my access point.
Without mirroring, I can boot my WiFi board. It goes through the initialization process and then goes to the NTP server and gets a time stamp, then fails 10 minutes later.
If I have mirroring turned on, source port = 6, destination port = 4 and then I boot my WiFi board, it never resolves the pool.ntp.org address. It keeps failing, waiting a while, then retrying.
If I don't mirror, I can get the first time stamp, as above. If after getting that first time stamp, I then turn on mirroring of port 6 to port 4, after 10 minutes it fails to connect to the NTP server. At this point, I can't tell if this is the same problem I've been chasing where it doesn't re-connect after 10 minutes, or if this is the problem where turning on mirroring kills the interface to the NTP server. I suspect somehow turning on mirroring is killing the interface to the internet since it doesn't work to begin with with mirroring turned on.
Any suggestions would be tremendously appreciated.
Thanks!
Dave
Are you using a WiFi router or a WiFi Access Point?
There is a difference. The router can change the IP address of connected devices whereas the Access Point will not.
What if you do not put any filters on your interface? Do you see ingress and egress traffic to/from your embedded device?
I correctly stated it's an access point. It's configured correctly and connected to my cable router as an access point. I can connect via WiFi to either my cable box or the AP and everything works fine.
Yes, I do see a UDP packet from my hardware to 192.168.1.255 right after an ARP. Then I see a dozen or so MDNS packets. (What are these??? Seems like a security issue when my hardware (TCP stack from Microchip) is sending packets to 224.0.0.251.)
What I don't see are any other packets to/from my hardware. And I do see a lot of other packets to/from other devices and the AP.
Thanks,
Dave
mDNS = multicast Domain Name System, https://en.wikipedia.org/wiki/Multicast_DNS
What is interesting here is that you are only capturing multicast and broadcast packets.
Multicast packets have an IP address that begin with 224 or 223.
Broadcast addresses for a network segment end with 255 = in your case 192.168.1.255 You might also see IP addresses with all 1's (255.255.255.255)
Do you see any unicast traffic? That is, any addresses not listed above. For example, you should see traffic with a source (or destination address) with 192.168.1.x, where x is not 255
Try removing the VLAN's and provide feedback. If you still do not see any unicast traffic, then your switch is not mirroring traffic or your network interface on the Wireshark computer is not configured for promiscuous mode. https://wiki.wireshark.org/CaptureSetup/Ethernet
Can you ping pool.ntp.org from your DUT (Device Under Test)?
Is the following diagram, created with the help of asciiflow, representative of your setup? If so, is WAP performing NAT?
What do you see if you filter for ntp traffic, i.e., "udp port 123"?
@cmaynard thanks for the link of the asciitool!
This site is weird. There was a comment from Amato_C, and my response, both now gone. ???
Yes, it's a real AP, configured properly with WiFi networks avaiable and working on other PCs.
cmaynard: Yes, your picture is accurate. (and I too thank you for the link) I see a ARP with the MAC address of my hardware, followed by a UDP from it, and then a bunch of MSDN packets. Nothing else. that's with ip.addr==192.168.1.86.
I see lots of packets to/from my AP, .89.
I see nothing with udp.port==123 which is weird because I know I'm hitting the NTP server once because I get a valid time stamp in debug statements from my hardware.
Yes, I can ping pool.ntp.org from anywhere else.
Those symptoms make me think I'm somehow using WireShark wrong.
???
Thanks,
Dave
I believe all comments are still here, but you need to click the button that reads, "show <n> more comments".to view them all.
Is your GS108Ev3 running latest firmware version? Currently this is 2.00.09.
Are you able to capture packets directly on the DUT using cli tools like
tcpdump,dumpcaportshark?Yes, show more helps, as well as looking at a browser window that isn't stale.
I have just upgraded to the latest firmware, same symptoms.
Sorry, you've just overloaded my brain with tools I don't know about. All I have (that I know about) on my embedded hardware are some debug statements built into the TCP and SNTP stack. Here are a couple lines from the debug:
SNTP solving IPv4 DNS: pool.ntp.org, time: 9 SNTP State: 3 - dns_solved, time: 9 SNTP solved DNS: pool.ntp.org, address: 132.163.4.102, time: 10 SNTP State: 4 - send, time: 10 SNTP State: 5 - recv, time: 11 SNTP State 6 - s_wait, time: 11 SNTP new TStamp: 1485822277, time: 11
That time stamp translates to 1/30/17 16:24:37 which is the time I ran this test. So it does look like my embedded hardware is getting to the NTP server at least once.
And again, I'm not able to see that on WireShark using the configuration I have, so it still appears I'm doing something wrong in WireShark.
Thanks,
Dave
Oh yes, and that time stamp is fetched only if I don't mirror the port on the switch that is wired to the AP to the port on the switch of the PC running WireShark (and the switch configuration software).
Sorry, now I'm completely lost. My network is the same as the drawing above, except I've turned off mirroring. From this PC, connected with WAP to my cable box, I can ping the new AP successfully. But I am not seeing this with Wireshark using a different PC wired to the switch as in the drawing above. So I am missing something really basic here. Though I do see a few packets to/from the AP in WireShark, I am not seeing the pings which I also know are getting there and back.
Some more things to consider:
Capturing VLAN tagged traffic on Windows is a hit or miss situation at best. From all the text I can't make out if this is applicable.
Did you study, and understand all of https://wiki.wireshark.org/CaptureSetup/Ethernet
Try to make your capture platform more isolated, remove all network stacks from the capture interface, but make sure it stays up. This to make it truly passive.
But I am not seeing this with Wireshark using a different PC wired to the switch as in the drawing above. Did you configure port mirroring correctly? It sounds to me like you didn't if you're not seeing the traffic.
This is my current configuration. At this time, there are no VLAN or mirror configurations enabled:
+---------------+ +-----------+ +-----------+ | | | | | | | cable | | | | access | | box |<--->| switch |<--->| point | | | | | | | | | | | | | +---------------+ +-----------+ +-----------+ ^ | v +-----------+ | | | PC | | | +-----------+
These are only the wired interfaces. Since the switch is between the AP and the cable box hub, and WiFi is not at all involved, I would expect to see traffic between my laptop over WiFi to the cable box (NOT the AP) when I ping the AP. I do not see this even though pings are successful. Obviously I'm doing something wrong.
Until I can see reasonable, known traffic on WireShark, I don't expect to see the traffic coming over WiFi to the AP.
Any other help?
Thanks!
Dave
Sorry about the picture. I'm still new to this.
+----------+ +---------+ +---------+ | | | | | | | cable | | switch | | access | | box +----> +----> point | | | | | | | +----------+ +----^----+ +---------+ | | | +---+----+ | | | PC | | | | | +--------+
I would expect to see traffic between my laptop over WiFi to the cable box (NOT the AP) when I ping the AP.
I don't understand what you're saying here. (And your diagram isn't much help either.) If your laptop is connected wirelessly to the AP and you ping the AP, then you won't see that traffic on the switch. I guess I'm missing something. Unless what you're saying is that the cable box is also acting as a wireless access point? But then what is the point of the AP? It's broadcasting a different wireless network?