This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Device only showing NBNS Protocol then nothing.

0

Im trying to view packets for an embedded device of mine. When I watch the network, I can see the device and it's IP send 4 packets when it initially connects to the network.

2118 26.109312 192.168.1.118 192.168.1.255 NBNS 110 Registration NB CCWMX53-A1DB44<00> 2120 26.359883 192.168.1.118 192.168.1.255 NBNS 110 Registration NB CCWMX53-A1DB44<00> 2122 26.610829 192.168.1.118 192.168.1.255 NBNS 110 Registration NB CCWMX53-A1DB44<00> 2126 26.861841 192.168.1.118 192.168.1.255 NBNS 110 Registration NB CCWMX53-A1DB44<00>

But then wireshark won't show anything else for this device. When I KNOW it is sending other packets. Does anyone have any idea how I can see the packets my device is sending?

Thanks for the help..

asked 07 Jun '17, 10:38

caden311's gravatar image

caden311
6112
accept rate: 0%

edited 07 Jun '17, 10:49

grahamb's gravatar image

grahamb ♦
19.8k330206

Is this on an Ethernet network, a Wi-Fi network, or some other type of network?

(07 Jun '17, 10:41) Guy Harris ♦♦

It's ethernet with only my computer and the device plugged in.

(07 Jun '17, 10:41) caden311

What are they plugged into? A switch, a hub, or is this just a point-ot-point Ethernet cable between your computer and the device?

(07 Jun '17, 10:58) Guy Harris ♦♦

I have a router with two ethernet cables, one going to my computer, the other to the device.

(07 Jun '17, 11:01) caden311

So does that router have more than two ports and, if so, can one of them be configured as a "mirror port" or "SPAN port" or something that sends all traffic going through the router to an additional port, into which you could plug a machine running a packet sniffer such as Wireshark? See the Wireshark page on Ethernet capture for information on capturing traffic on Ethernet and capturing all traffic.

(07 Jun '17, 11:24) Guy Harris ♦♦

One Answer:

0

The traffic you show are all broadcasts, do you have promiscuous mode enabled on the interface you're capturing on to allow capture of unicast traffic destined for hosts other than the capturing one?

Are you sure the embedded device is able to locate a MAC address (via ARP) for the unicast address it wishes to send to? You should see ARP traffic as they are broadcasts as well.

answered 07 Jun '17, 10:48

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Yes I have promiscuous mode enabled, and yes I am seeing ARP messages for the device.

581 41.823085 Digiboar_a1:db:44 Broadcast ARP 60 Who has 169.254.196.127? Tell 0.0.0.0

Just not sure why i'm not seeing any of the tcp traffic that's happening.

(07 Jun '17, 11:00) caden311

OK, so the device is looking for 169.254.196.127, hopefully that's the PIPA address assigned to your capturing host, but the ARP is asking for responses to be sent to 0.0.0.0. It would seem that the device doesn't have an IP address.

(07 Jun '17, 11:03) grahamb ♦

Sorry this is the last ARP message, when it finds a router.

597 44.830725 Digiboar_a1:db:44 Broadcast ARP 60 Who has 192.168.1.1? Tell 192.168.1.118

And I know traffic is leaving the device and hitting my webserver.

(07 Jun '17, 11:23) caden311

I think @Guy Harris maybe more on-track with your issue here in that you are running on a switched network and haven't made the necessary adjustments to ensure the switch sends you all the traffic.

Can you amend your question with details of the network configuration, e.g.:

PC (IP) <---> router (model) <---> Embedded Board (IP)
(07 Jun '17, 15:22) grahamb ♦