This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can’t see other traffic but my own

0

As a note, I have been using Wireshark with a hub for years and it has always worked. Now I’m experiencing the weirdest issue, I can’t see other traffic that I need, such as the Print Raster data from another computer to a networked copier. I’ve spent almost two days on this, got cables and hubs everywhere, I’ve been reading all the Help files from Wireshark online, trying everything possible. I’ve tried multiple PCs, I bought another new hub (Asante FH205P) to eliminate my existing hub (Netgear DS108) just in case it went bad. If the hubs were bad, I wouldn’t see anything most likely. I have the hub connected to our network and one cable to copier and one to my laptop. I’ve tried statically out of the network, etc… I can see all the data if it comes or goes to/from my laptop, but if I send a job from another PC, I don’t see that data, which in the past I did. If I scan to email from the copier, I used to see the requests to the email server, now I don’t see any SMTP traffic… Everyone I talke to says it should work like I have it. I’ve tried other programs such as Colasoft Capsa 7 Free and the older Etherreal. I’m out of options, this always worked in the past and it should work like I have it. Can I possibly have two bad hubs? What are the odds? I appreciate anyone's input.

asked 20 Jan '12, 10:12

SharpSBSMan's gravatar image

SharpSBSMan
1112
accept rate: 0%


3 Answers:

1

Most common reasons to not see traffic on a wired network card when you are (pretty) sure that there is traffic coming in:

  1. Promiscuous mode is not enabled for the capture card. There is a setting in the Wireshark capture options that should always have a check mark.
  2. VLAN tagged frames - a lot of NICs do not accept them by default. Some can be configured to pass them on, but some will never pass them on to Wireshark. By the way, Realtek cards seem to take no prisoners and always capture any frame you throw at them, including VLAN tags ;-)
  3. Spanning Tree (yes, surprise!) - if your network is running spanning tree, you might have your capture point at a place where the tree does not forward any traffic (except BPDUs etc.), because it is using an alternate path with better costs.

If I were you I'd try to remember what changed in the network setup since the last time it worked; very often coworkers do something that they didn't tell you about, and suddenly stuff that worked before doesn't.

answered 20 Jan '12, 12:31

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks guys. So after trying two laptops, I tried a third one, I asked someone to use theirs. And they can see everything through either hub. We have Dell D630s. So I swapped my HDD and put it in his and vice versa. Now none of the laptops would see all traffic. So I'm realizing that my NIC might have an issue even though it works fine for everyday usage. Also, we both have Office Scanner from Trend running, but my laptop had some filter that I couldnt disable. It was a list of like 20 protocols that were allowed. So I may have a software/hardware issue. I will get me another laptop from IT Dept and I should be fine. What are the odds that a couple laptops had the same symptoms... I have to comfirm the Office Scanner issue, but I'm guessing it has something to do with it. I tried to disable all the Scanner services and rebooted, but it turned itself on again, I'm sure it's forced as a domain service. Thanks again for all your tips, I do appreciate it. I'll get this thing yet!!! Note: I did have promiscuous mode on all the time. Also, i did get an Ethereal download but didn't work, but I submitted this post before i tried it by mistake, the download was corrupt so it didn't even install. And I do remember Ethereal changing to Wireshark. Thanks everyone!!!! Florin

(20 Jan '12, 20:48) SharpSBSMan

1

(Note, BTW, that "the older Ethereal" isn't "[an]other program"; it's the same program as Wireshark - only the name changed, somewhere around the time of the 0.99.2 release of the program.)

I'm assuming you have a possibly-switched network, and have a cable going from one port on that network into the hub, another cable going from the hub to the printer, and a third cable going from the hub to the machine running the sniffer program.

If neither Ethereal/Wireshark nor Colasoft Capsa can see the traffic, it's almost certainly not a problem with the program. The DS108 is listed on the HubReference page of the Wireshark Wiki as a true, but dual-speed, hub, so it should work as long as all hosts plugged into the hub, including the host running the sniffer program, are running at the same network speed (i.e, the host on the network talking to the printer, the printer, and the host running the sniffer either all need to be running at 10Mb/s or 100Mb/s). The HubReference page doesn't say anything about the FH205p, but I'm guessing it's a true dual-speed hub (so the same issues would apply to it).

I assume you probably were using promiscuous mode in the past when you could see traffic, so you know that you have to check it or leave it checked, so the first of Jasper's reasons probably isn't the problem. If this isn't a dual-speed problem, the two other issues Jasper mentioned are two things to check.

answered 20 Jan '12, 16:48

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

I figured it out, it was the Trend Office Scan Firewall. Had to disable it, restarted and I can see everything again. thanks for all your help. Florin

answered 22 Jan '12, 21:06

SharpSBSMan's gravatar image

SharpSBSMan
1112
accept rate: 0%