Hi,VPN & other software

jamesalambertctr · ‎10-06-2014

I am trying to use a workstation with Wireshark on it to capture the traffic to/from another workstation on the network. The goal is to view all traffic that takes place to this one machine during network imaging.

So I set up the SPAN session on the Cisco WS-3750-48P [12.2(55)SE7]. Fairly simple.

monitor session 1 source interface fastEthernet1/0/1 (workstation we are imaging)

monitor session 1 destination interface fastEthernet1/0/2 (workstation with Wireshark)

I ensure the SPAN session on the switch (show monitor session 1 detail). I also ensure that the monitoring machine is plugged into the correct port (f1/0/2).

I fire up Wireshark, choose the NIC, ensure 'promiscuous mode' and then start the capture. The machine is a Dell Optiplex 760 running Windows 7 Enterprise. NIC: Intel 82567LM-3 Gigabit

Then we start the PXE boot and the target machine is off & running; imaging as normal.

Nothing but a handful of local (my machine) ARPs and a few UDP lines in the Wireshark window. I see nothing to/from the other machine (the mirrored port).

Any thoughts on why Wireshark is not picking up this traffic? Where can I start trouble-shooting. I have been trying to get to the Wireshark pages but that's a no-go as of right now. I cannot give any screen shots of this.

Any help is appreciated.

mmacovsky · ‎10-06-2014

Hello,

Could you post the port configurations for F1/0/1 - 2.

It could help,

Thanks :)

jamesalambertctr · ‎10-06-2014

Certainly,

Both ports were configured the same. When I set up the session, I also checked the 'show int status' output and fastEthernet 1/0/1 was in 'MONITOR' status.

interface fastEthernet1/0/1 - 2

switchport mode access

switchport access vlan 65

spanning-tree portfast

spanning-tree bpduguard enable

no shut

Should the configuration be defaulted when setting up a monitor session?

Again, I appreciate any help.

vishal vyas · ‎10-06-2014

On destination port, in your case fa-1/0/2 should have just one command.

int fa 1/0/2

switchport

no shut

Sebastian Frank · ‎10-06-2014

Seems like monitor mode is not enabled in the network card driver:

http://www.intel.com/support/network/sb/cs-005897.htm

jamesalambertctr · ‎10-06-2014

Okay. I will default the port next time around, set just the 'switchport' and 'no shut' commands for the destination port.

I will also begin reading up on the Intel NIC from the posted link. Hopefully we are allowed to make those changes.

Thank you both for the assistance. It may take me a few but I will try this again and report back.

stephenshaw · ‎10-07-2014

Hi,

VPN & other software utilities can interfere with the TCP/IP stack on your machine and result in Wireshark not capturing the traffic properly. I experienced this when Checkpoint VPN software was loaded on the m/c I was using ... as soon as it was disabled, Wireshark captured all traffic. Something to look into.

Cheers,

Steve

ougryphon · ‎11-04-2014

I had the same problem. I could see from the switch interface statistics that the data was being forwarded and the raw bytes received count on my laptop's NIC was going up, but Wireshark was only showing a small fraction of the traffic. Turned out Symantec's Network Threat Protection was filtering out all the data. I turned off Symantec and was immediately flooded with the traffic I was looking for. Hopefully it is that simple for OP.

glen.grant · ‎11-04-2014

Make sure the Windows 7 firewalls are turned off .

Wireshark not capturing traffic from SPAN port