Charles.Neff@xxxxxxxxxx wrote:
I think I made this slightly more confusing than it should be. I'm
gonna try to clear a few things up, then answer your questions and see
if we can get somewhere on this.
First of all:
Servers - located at Corporate office
Registers - located at seperate store locations
WireShark - used to monitor at Store locations, on their LAN, using my
laptop
Issues - Wireshark does not capture response data from Server during POS
transactions
- will only pick up transmitted POS traffic data from one
register at a time (appears to be the one that logged in most recently)
- even when only capturing data from one register on one port,
WireShark will no longer show data from that register once another
register is logged in (in this case will get NO POS data since only
monitoring the one register)
- if the monitored register is logged out and back in,
WireShark will begin picking up POS data again (only transmit data,
still no received) as long as no other register is logged in after that
time
Of note - Telnet-ing (from the same register, using the same terminal
emulator) into the POS server, but not into the actual POS application,
will result in WireShark picking up all traffic one would expect from a
Telnet session
Everything continues to work through out the issues I'm describing with
WireShark captures. Each register has it's own IP address and the data
I do capture shows these correctly.
I'm attaching a capture from one of our stores (hopefully I've used
editcap correctly... first time to use it):
POS server - 192.9.200.178
Registers - 10.200.11.31 and 10.200.11.32
You can see at around 14:38 traffic is being picked up from
10.200.11.32, then at 14:42 traffic is picked up from 10.200.11.31.
During this whole capture both registers were being used regularly, not
just at the times when traffic was captured.
Well, you actually used too small of a snaplen value. It chopped all
TCP headers. But some notes
1) clearly its cosmetic or is a problem with packet capturing because
the app still works.
2) I noticed all the packets are unidirectional. i.e. the POS are only
listed as SOURCE IP's only.
3) It's interesting that when you use telnet, you see the packets
again. I'm trying to resolve why that would be. How are you capturing
the packets? Are you using a port mirroring from a cheap switch? Is it
possible that the port mirroring/span function is broken?
4) I thought the app may have been munging with the mac addresses, but
that doesn't seem to be the case.
5) When you telnet, do you see two way traffic in the trace?
--
Thanks,
Hansang