This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm experimenting with Bridging and Traffic control in Ubuntu and using a virtual box for this. I want to see what happens to the packets in Wireshark and found a behaviour which I'd like to understand

In virtual box I have two Host Only adapaters with DHCP disabled - In my Host end of the adapters one of these (AdaptorA) has an IP address (192.168.11.1) the other (AdaptorB) is not bound to IPV4

Inside Ubuntu I bridge the two adapters This works fine and I can send a packet to 192.168.11.2 and wireshark monitoring AdapterB - sees the ARP requests. If I fake an arp entry then I see the packet as I'd expect. Fake ARP entry "arp -s 192.168.11.2 00-11-22-33-44-55 -N 192.168.11.1"

However if I then (in Wireshark) select monitor BOTH AdapterA and AdapterB and then send one packet - Wireshark sees over 845000 packets before I killed it and it crashed - so it looks to me like a loop is formed. This is repeatable I have not seen this bridgeing type behaviou before on real adapters so I don't think this is normal. I don't currently have a host with multiple physical adaptors so I can't check.

Other (network) software installed on the Host is Windows 7 , AirMagnet, Cisco AnyConnect and the Virtual PC (for the Windows XP VM) so I'm not expecting this to be a regular problem

Inside Ubuntu both interfaces are "LinkLocal only" and I bridged them using the following commands

brctl addbr bypass0
brctl addif bypass0 enp0s3
brctl addif bypass0 enp0s8
brctl setfd bypass0 0
brctl sethello bypass0 2
brctl setmaxage bypass0 12
brctl stp bypass0 off
ip link set dev bypass0 up

I'm sending a Single UDP packet on port 24 (using a program called packet Sender by Dan Nagle)

  • If I monitor AdaptorA I see one packet
  • If I monitor AdaptorB I see two packets (not sure exactly why)
  • If I monitor AdaptorA and AdaptorB I see an unlimited number of packets which I think is wrong

Changing STP to ON did not change the unlimited number of packets

I intend to use a Traffic control to simulate a delay (from https://www.excentis.com/blog/use-linux-traffic-control-impairment-node-test-environment-part-1 ) using commands such as

tc qdisc add dev bypass0 root netem delay 100ms

So I want to see how long it takes for packets to traverse my Linux box before I swap to real cards so I'd like to work around this

Thanks for reading and any hints or things to check

This question is marked "community wiki".

asked 29 Jan '17, 20:06

rjwilson01's gravatar image

rjwilson01
6234
accept rate: 0%

edited 29 Jan '17, 20:12

Try not setting promiscuous mode while capturing and see if that makes a difference.

(30 Jan '17, 08:23) Jaap ♦

Thanks I've Tried disabling promiscuous mode in the host and it still generates a lot of traffic I tried installing wireshark inside the VM - If I monitor both ports inside the VM I don't get lots of traffic.

If I monitor both inside the VM and monitor both ports on the host - then the VM Wireshark does see a lot of packets , not as many but I believe that is just lack of processing power. So this is a real effect on the VirtualBox/Wireshark monitoring.

I also tried two Wiresharks running in the host, each monitoring one network card - this also caused the loop.

The loop also occurs for traffic initiated by the VM I tried disabling all the IPV4 (and IPV6) within the VM - this stopped traffic initiated within the VM however it still has a loop.

I also disabled the two interfaces (leaving the bridge interface enabled), this still bridged traffic (ie traffic came out the second interface) but also still caused the loop when monitoring both interfaces in the host.

I disabled promiscuous mode in the VM as well

I think I'll see if using the wireshark inside the VM is enough to confirm how the Traffic control operates.

(30 Jan '17, 16:14) rjwilson01

There's also a new packet sniffer library for Windows in the works, which may make a difference as well.

(31 Jan '17, 01:52) Jaap ♦

Given the behaviour a new PCAP sounds appropriate - thanks for point that out I ;ve tried a few things NPCAP (leaving WinPcap present and in legacy mode ) and I think it probably is a driver problem. It does not loop the network with NPCAP installed in either PWinPcap emulation or not. But it also does not show the second packet. The second packet is still present inside the VM Wireshark capture

I'm still looking into it as I've got some hardware now and so will send this through a Cisco switch with a SPAN to try and see actual traffic. But I have to move on - I've confirmed that the Traffic control works

One thing on that shortcut you posted I can't get to https://npcap.org/ I must go to http://npcap.org/ which redirects me to https://nmap.org/npcap/ I'd guess its a browser setting

(31 Jan '17, 16:48) rjwilson01

WinPCAP driver problem causes Loops when interacting with VirtualBox drivers

permanent link

answered 31 Jan '17, 16:49

rjwilson01's gravatar image

rjwilson01
6234
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×24
×5

question asked: 29 Jan '17, 20:06

question was seen: 4,033 times

last updated: 31 Jan '17, 16:49

p​o​w​e​r​e​d by O​S​Q​A