Wireshark-users: Re: [Wireshark-users] Looking for some help or advice with an issue

From: Hansang Bae <hbae@xxxxxxxxxx>
Date: Wed, 16 Apr 2008 22:49:39 -0400
Charles.Neff@xxxxxxxxxx wrote:
 >2)  I noticed all the packets are unidirectional.  i.e. the POS are only
 >listed as SOURCE IP's only.

Is this just an observation or something I should be looking into?

Just an observation.


 >3)  It's interesting that when you use telnet, you see the packets
 >again.  I'm trying to resolve why that would be.   How are you capturing
 >the packets?  Are you using a port mirroring from a cheap switch?  Is it
 >possible that the port mirroring/span function is broken?


I've tried a few different ways of capturing the data:
- using a Cisco 2950/2960 switch with port mirroring (only using native VLAN and no EtherChannels)and I've tried this at multiple stores
        - using a 3Com hub (true hub)
- also tried with two different NICs, the default one in my Dell laptop and a Xircom PCMCIA card that is supposed to work really well with Sniffers
I see the same results each time.


OK, let's make sure the basics haven't been over looked.  Are you
1)  capturing in promiscuous mode?
2) Can you ping the device in question before, during and after the capture?
3)  Are you *SURE* you don't have a capture filter for this application?
4) When you created the span, you're sure you didn't make it one way, right? Default it TX/RX.


I do see two way traffic when I telnet, and again, I'm using the same terminal emulation and connecting to the same server that runs the POS app.

This is the part that's killing me. Is it possible that you have a capture filter that's preventing two way capture for your POS app, but not for this telnet session? *OR* is your POS multihomed? I doubt it, but it does explain the one way traffic on the captures.

--

Thanks,
Hansang