Wireshark-users: Re: [Wireshark-users] Looking for some help or advice with an issue

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 09 Apr 2008 22:55:31 -0400
Charles.Neff@xxxxxxxxxx wrote:

I think I made this slightly more confusing than it should be. I'm gonna try to clear a few things up, then answer your questions and see if we can get somewhere on this.

First of all:

Servers - located at Corporate office
Registers - located at seperate store locations
WireShark - used to monitor at Store locations, on their LAN, using my laptop Issues - Wireshark does not capture response data from Server during POS transactions - will only pick up transmitted POS traffic data from one register at a time (appears to be the one that logged in most recently) - even when only capturing data from one register on one port, WireShark will no longer show data from that register once another register is logged in (in this case will get NO POS data since only monitoring the one register) - if the monitored register is logged out and back in, WireShark will begin picking up POS data again (only transmit data, still no received) as long as no other register is logged in after that time Of note - Telnet-ing (from the same register, using the same terminal emulator) into the POS server, but not into the actual POS application, will result in WireShark picking up all traffic one would expect from a Telnet session

Everything continues to work through out the issues I'm describing with WireShark captures. Each register has it's own IP address and the data I do capture shows these correctly.

I'm attaching a capture from one of our stores (hopefully I've used editcap correctly... first time to use it):

POS server - 192.9.200.178
Registers - 10.200.11.31 and 10.200.11.32

You can see at around 14:38 traffic is being picked up from 10.200.11.32, then at 14:42 traffic is picked up from 10.200.11.31. During this whole capture both registers were being used regularly, not just at the times when traffic was captured.

Well, you actually used too small of a snaplen value. It chopped all TCP headers. But some notes 1) clearly its cosmetic or is a problem with packet capturing because the app still works.

2) I noticed all the packets are unidirectional. i.e. the POS are only listed as SOURCE IP's only.

3) It's interesting that when you use telnet, you see the packets again. I'm trying to resolve why that would be. How are you capturing the packets? Are you using a port mirroring from a cheap switch? Is it possible that the port mirroring/span function is broken?

4) I thought the app may have been munging with the mac addresses, but that doesn't seem to be the case.

5)  When you telnet, do you see two way traffic in the trace?


--

Thanks,
Hansang