Experts, Does Wireshark have hidden capture filters? As far as I can tell, I have no capture filters (or display filters) enabled that would restrict the capture (or display) of any packets. Yet I cannot capture traffic between two devices that I know are communicating with each other. I am getting no notification that packets are being dropped. Running ... Wireshark 1.6.4 (SVN Rev 39941 from /trunk-1.6) WinPcap version 4.1.2 ... on 64-bit Windows Server 2008 R2 Service Pack 1. I'm trying to capture traffic between a Dell R710 Server and a Moxa 5210 NPort device. The server and Moxa device are both plugged into the same Cisco ethernet switch. The Moxa 5210 device has two RS-232 serial ports that are connected to the serial console ports of a pair of Devices Under Test. A terminal emulation program (TeraTerm) that supports Telnet'ing into the Moxa 5210 runs on the Dell R710 Server system (also where Wireshark is installed/running). On the Dell R710 Server, I open a TeraTerm (ver. 2.3) session and specify the IP Address and Port # associated with say RS-232 port #1. The TeraTerm session establishes connections with one of the Devices Under Test. Via TeraTerm, I can send to (and receive from) the remote Device Under Test without problem. The appropriate ports on the Cisco switch light up while this data is being transferred. I know there are packets being sent/received by the respective devices. Unfortunately, all attempts to get Wireshark to capture this information flow do not work. The Wireshark trace only shows the initial flurry of activity that happens when the TeraTerm program is initially invoked. In the attached trace, packets 18-22 show that start-up interaction. Dell R710 Server = 192.1.1.88 Moxa 5210 Nport Device = 192.1.1.27, TeraTerm is using Port #4001. Can somebody tell me why Wireshark doesn't capture / display anything beyond what appears in the trace? (I'm trying to debug an automated test. At random times, we get "impossible" data from the Devices Under Test. I'm trying to determine if this bogus data is really being sent on the wire, or if it's being corrupted higher up the communications stack.) Thanks much. DReif This question is marked "community wiki". asked 27 Nov '11, 17:24 DReif showing 5 of 8 show 3 more comments |
One Answer:
From your capture it looks like you are only capturing the 3-way-handshake of each TCP connection (SYN, SYN/ACK, ACK). Sounds like TCP Chimney to me... answered 28 Nov '11, 15:10 SYN-bit ♦♦ 1 SYNbit, You are correct, sir. After disabling that feature on the appropriate NIC in the Dell R710 Server, I now see that Winshark is capturing all of the expected traffic. Thanks for your most excellent advice. For future searchers ... The Dell R710 Server uses Broadcom BCM5709C NetXtreme II GigE NICs (4 of them built into motherboard). I modified the following properties via the 'Advanced' tab of the NIC configuration tool ... Changed 'IPv4 Checksum Offload' to 'None'. Changed 'TCP COnnection Offload (IPv4)' to 'Disable'. (28 Nov '11, 21:12) DReif I think disabling only "TCP connection Offload" will do the trick too... but since you're troubleshooting, it is nice to have the correct checksums in the trace as well, so disabling both is nice :-) (29 Nov '11, 00:11) SYN-bit ♦♦ |
It's me again. I'd hoped to be able to attach my sample capture after registering as a real site user. But I see that even after registration, that doesn't appear to be an option.
Can someone explain to a newbie the accepted way to upload a Wireshark trace?
Thanks again.
DReif
Drop it on CloudShark and post the link here.
You never described how you hooked Wireshark into this setup. On the host, though a tap, a span? Then, what do you mean by "the initial flurry of activity"?
I've uploaded a file named 'Moxa_TeraTerm_No_Packets.pcap' to CloudShark. Wireshark is running on the Dell R710 Server - I'm not using a tap or span. Capturing in Promiscuous Mode - though that shouldn't be a requirement in this setup. See Packets 18-22. They appear to be the "setup" to establish the communications link. Yet there are no further packets captured between 192.1.1.27 and 192.1.1.88 - even though I can see via the TeraTerm terminal emulator that data is being transferred.
Sincere thanks for your help/advice.
DReif
Cloudshark does not have a search function (at least not that I'm aware of), could you post the link to the file?
SYNbit, I originally used the direct "upload" option at the CloudShark site. It didn't provide a link. So, based upon your comment - I resubmitted it as an attachment to an e-mail. The FAQ at cloudshark.org says it would then send me a response with the link. That doesn't work either. Here is the response I got ...
Hello,
Thank you for trying CloudShark.org. The decode service at [email protected] has been discontinued. Please try uploading your files directly at http://www.cloudshark.org.
Regards,
CloudShark
After you paste the file to www.cloudshark.org, you need to copy the address in the location bar of your browser, that's the link to your capture file :-)
Hmmm, OK I see now my original upload didn't work at all (that'll teach me to use Internet Explorer). Just uploaded it with Firefox and that worked fine. The link is
http://www.cloudshark.org/captures/f66482719cf8