This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capture using a monitor mode of the switch on a dual nic computer

0

Hi, I've been utilizing a Windows XP computer with a second NIC card as a "sniffer" box. I am having a problem where I am not seeing the traffic I expect to see on the capture. I suspect I am doing something wrong on the sniffer box because I have seen this issue on multiple model Cisco switches, running different IOS version. My reason I say there is a problem is because I do not see all the send or receive traffic in some cases. I test this by doing a ping. If I am monitoring both rx and tx I should see both the echo request and the echo reply. In any case I only see one or the other, or sometimes only one. I change the monitor seession to only mirror rx or tx and do not see the results I expect. For example, if I am look at rx only on a switch port and I generate an echo request to the device plugged into the port, I would expect to only see the echo reply on my capture. If I change to monitor tx only and generate the same echo request I would expect the see the request only as it exits the switch port and is transmitted to the device in question. I had a case with Cisco to look at there being a possible bug with the monitor session and convinced three different engineers something is not right with the capture. Cisco was not able to recreate the issue and hinted that the sniffer box might not be setup right. I suspect the problem is with the method I am using on the sniffer box because of trying it at multiple locations across multiple Cisco switch models and IOS codes.

We utilize one NIC on the sniffer box for remote access and the other NIC plugs into a Cisco switch that is setup in monitor mode like this.

Session 1
---------
Type              : Local Session
Source Ports      :
    Both          : Fa0/18
Destination Ports : Fa0/22
    Encapsulation : Native
          Ingress: Disabled

The monitor session is configured to mirror both rx and tx traffic. The NIC on the sniffer box that is plugged into port 22 has TCP/IP unchecked in the Windows network settings along with all the other protocols (macafee, client for microsoft networks, file printer and sharing, etc.) except for the network capture driver. I'm not even sure that is required to be checked because if you uncheck everything, you still can see traffic in Wireshark that is passing through the port being monitored. Windows firewall is disabled. I normally use Windump on the sniffer just because Wireshark over a remote desktop session is not ideal. My typical Windump command would go something like this:

windump -i 3 -s 0 -C 25 -W 60000 -w c:\captures\dump.pcap

Interface #3 being the NIC that plugs into port 22 or the switch port running in monitor mode. Even if I don't use windump and go back to using Wireshark on the sniffer box and generate pings I only see the echo request, not the reply. I also see other traffic in the capture that suggest I am not capturing everything, such as ICMP dest. unreachable messages but I do not see the initial UDP query that caused the device to generate such ICMP dest. unreachable message.

Does anyone have any suggestions about what I may be doing wrong?

asked 28 Nov '11, 09:17

networkguy09's gravatar image

networkguy09
16447
accept rate: 0%

edited 28 Nov '11, 09:56

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245

Similar to my monitoring whereas I only saw Echo Reply, never saw Echo Request. Another problem, I can not see TCp traffic althought I can see unicast UDP traffic between other two devices. BTW there are lots of TCP traffic, unicast, which should have been seen by sniffer inmy case. I tried two sniffing software. same result. I guess it Cisco SPAN bug.

(28 Nov '11, 10:48) Buddy

3 Answers:

0

OK, if I get this right, you are monitoring a system on port Fa0/18 using your dual-homed XP system on port Fa0/22. Then you use a third system to ping the system on port Fa0/18? On which port is this system connected? How are the vlans set up? Are you using any vlan tagged interfaces? Is the system on port Fa0/18 by any change connected to the switch(es) with a teamed NIC?

answered 28 Nov '11, 10:03

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

The device we are monitoring is a printer. The printer has a problem where it hangs and stops responding and the only fix has been to unplug/plug the printer. So it is a single network connection to the printer plugged into port 18. Port 22 is the monitor port for which I showed the configuration in my initial post. The sniffer box has a second NIC which plugs into port 11 of the same switch. Port 11 and port 18 are both access ports in the same vlan. It doesn't seem to matter where I generate the ping.

(28 Nov '11, 11:28) networkguy09

I've done it from the sniffer box, which should use it's second NIC aka "management nic" to send the ping because the other NIC does not even have TCP/IP turned on. The SPAN is suppose to take everything both incoming and outgoing on port 18 and copy that to port 22. So in theory, I should see the echo request as it's transmitted out of port 18 and the echo reply as the printer responds and the reply is received back on port 18.

As I mentioned, I've had this problem on multiple switches now all running different IOS.

(28 Nov '11, 11:28) networkguy09

The sniffer box is the only common factor as it is the same box I've used to do captures on. I tried something else since I wrote this thread. I started up Wireshark looking at my second NIC (the one plugged into port 22) and shutdown port 11 on the switch (the interface I used for remote management).

(28 Nov '11, 11:28) networkguy09

I then did a ping from my desktop (which resides on a different vlan, etc.) saw my ping was answered by the printer, left the capture running and port 11 shutdown for about an hour. Turned port 11 back up, remote desktop into the sniffer box and stopped the capture. The capture has no ICMP at all. I am at a lose to understand why the capture is not showing traffic I know to have traversed port 18.

(28 Nov '11, 11:28) networkguy09

Is there VPN software on the monitoring box? You might want to have a look at http://wiki.wireshark.org/CaptureSetup/InterferingSoftware.

Also, have you tried another system on the span port to see it can capture the packets OK?

(28 Nov '11, 15:19) SYN-bit ♦♦

0

It was McAfee. Amazing how much time was spent on this problem and no one (including myself) thought to look at McAfee. Thanks for the ideas!

answered 29 Nov '11, 05:25

networkguy09's gravatar image

networkguy09
16447
accept rate: 0%

0

Similar to your problem : I only saw Echo Reply, never saw Echo Reques!!! I install new version of Wireshark(1.12 version) old version of my wireshark was 1.10 my problem is resolve!! I relized my problem fluky!!!

answered 18 Aug '14, 04:29

masood%20khiaraji's gravatar image

masood khiaraji
1
accept rate: 0%