2

I Have a Windows XP Machine Running wireshark, connected to a Mirror port on a network. I'm capturing with no filtering, and it can only see half of some two way TCP conversations. I had thought it was a mirror port issue on the switch, but I can take the same ethernet cable, plug it into a laptop running the same version of wireshark and see both sides of the conversation. I also see a lot more random network activity such as NBNS queries, LLDP multicasts, and Dynamic Truning protocol packets.

This does not appear to be a promiscuous mode issue, because I do see half of a TCP conversation from point A to point B, and I am point C. I've tried replacing the network card but that isn't it. Its not random packet loss, because I see every packet for one side of the one conversation (based on sequence numbers)

I'm looking for any Windows configurations or other programs or clues that could be preventing Wireshark from capturing all packets.

bk.
  • 768
  • 1
  • 4
  • 13
  • Are you looking into a communications problem with this laptop?, or is this only a 'capturing problem'? – l0c0b0x Jan 11 '10 at 23:15
  • The laptop captures everything on the mirror port fine. Its when we disconnect the laptop and connect the other server to the same ethernet cable, it fails to capture half of the ethernet traffic that the laptop can see. The traffic is not from/to the server or laptop, both are connected to the same 'mirror' port on the router seeing traffic between other endpoints on the network. – bk. Jan 11 '10 at 23:35
  • are you running IIS on the server? I've had it do odd things to me. – BuildTheRobots Jan 15 '10 at 07:44

2 Answers2

1

Check the span/mirror port configuration to make sure it's doing what you expect. Some switches can be configured to capture only inbound or only outbound traffic (with both directions being a third option).

As an example, this should verify the state on a Cisco device:

Switch# sh monitor session 1

Session 1
---------
Source Ports:
RX Only:       None
TX Only:       None
Both:          Fa0
Source VLANs:
RX Only:       None
TX Only:       None
Both:          None
Destination Ports: Fa1
Filter VLANs:      None

(this shows traffic on interface Fa0 is replicated both inbound and outbound directions and send out Fa1 to be captured)

This behaviour was achieved with the following config:

monitor session 1 source interface Fa0
monitor session 1 destination interface Fa1
Greg Work
  • 1,956
  • 12
  • 11
0

Reinstall new version winpcap and try capture data again. Sometimes,winpcap's issue may lead to such problems.

Harold Hai
  • 14
  • Not having easy access to the remote site where the server was located and needing a quick fix, we just replaced the entire machine with an exact clone hardware & software wise, and it worked, so chalk this one up to gremlins I guess. – bk. Mar 09 '10 at 00:35