Im trying to view packets for an embedded device of mine. When I watch the network, I can see the device and it's IP send 4 packets when it initially connects to the network.
But then wireshark won't show anything else for this device. When I KNOW it is sending other packets. Does anyone have any idea how I can see the packets my device is sending? Thanks for the help.. asked 07 Jun '17, 10:38  caden311 edited 07 Jun '17, 10:49  grahamb ♦ |
One Answer:
The traffic you show are all broadcasts, do you have promiscuous mode enabled on the interface you're capturing on to allow capture of unicast traffic destined for hosts other than the capturing one? Are you sure the embedded device is able to locate a MAC address (via ARP) for the unicast address it wishes to send to? You should see ARP traffic as they are broadcasts as well. answered 07 Jun '17, 10:48 grahamb ♦ Yes I have promiscuous mode enabled, and yes I am seeing ARP messages for the device. 581 41.823085 Digiboar_a1:db:44 Broadcast ARP 60 Who has 169.254.196.127? Tell 0.0.0.0 Just not sure why i'm not seeing any of the tcp traffic that's happening. (07 Jun '17, 11:00) caden311 OK, so the device is looking for 169.254.196.127, hopefully that's the PIPA address assigned to your capturing host, but the ARP is asking for responses to be sent to 0.0.0.0. It would seem that the device doesn't have an IP address. (07 Jun '17, 11:03) grahamb ♦ Sorry this is the last ARP message, when it finds a router. 597 44.830725 Digiboar_a1:db:44 Broadcast ARP 60 Who has 192.168.1.1? Tell 192.168.1.118 And I know traffic is leaving the device and hitting my webserver. (07 Jun '17, 11:23) caden311 I think @Guy Harris maybe more on-track with your issue here in that you are running on a switched network and haven't made the necessary adjustments to ensure the switch sends you all the traffic. Can you amend your question with details of the network configuration, e.g.: (07 Jun '17, 15:22) grahamb ♦ |
Is this on an Ethernet network, a Wi-Fi network, or some other type of network?
It's ethernet with only my computer and the device plugged in.
What are they plugged into? A switch, a hub, or is this just a point-ot-point Ethernet cable between your computer and the device?
I have a router with two ethernet cables, one going to my computer, the other to the device.
So does that router have more than two ports and, if so, can one of them be configured as a "mirror port" or "SPAN port" or something that sends all traffic going through the router to an additional port, into which you could plug a machine running a packet sniffer such as Wireshark? See the Wireshark page on Ethernet capture for information on capturing traffic on Ethernet and capturing all traffic.