This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark can not capture any TCP packets (not even SYN/ACk )

0

I was trying to capture traffci by port spanning on Cisco WS-C3750-48P. Cisco IOS Software, C3750 Software (C3750-IPBASEK9-M), Version 12.2(44)SE2, RELEASE SOFTWARE (fc2)

I can see UDP, ICMP, ARP, DHCP and microsoft stuff.However, I did not see any TCP packets captured, not even TCP SYN/ACK. Is it CIsco port SPAN problem?/IOS Version/ or Wireshark problem? Any ideas? BTW, I'm using promiscurous mode. The wireshark can see the tcp traffic when sniffing the PC interface it's running on.

appreciate it.

asked 25 Nov '11, 07:50

Buddy's gravatar image

Buddy
1112
accept rate: 0%

edited 25 Nov '11, 07:52


One Answer:

0

You could verify if all the frames you see are broadcast/multicast frames (from the range of protocols you mentioned I guess they are). If you're sure that the device you want to span is actually using TCP and you do not see it in the SPAN session you probably got the SPAN session wrong. Monitoring the wrong port is by far the most common mistake when setting up SPAN ports in my experience.

On the other hand you might have a VLAN tagging problem. If the TCP packets are VLAN-tagged your PC Interface might drop them if the card doesn't like them, and so you will not see them in Wireshark either. Try a different card if you think the SPAN port is correct and you should receive packets; I usually go for Realtek cards - they do not exactly have a good reputation but they usually capture anything, not knowing friend or foe.

answered 27 Nov '11, 05:46

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%