Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Looking for some help or advice with an issue

Date: Thu, 10 Apr 2008 16:09:01 -0500

>Well, you actually used too small of a snaplen value.  It chopped all
>TCP headers.  But some notes
>1)  clearly its cosmetic or is a problem with packet capturing because
>the app still works.


The reason this issue is becoming a problem is that it's making it hard to capture the data I need to in order to get the manufacturer of the Credit Card pads we recently installed involved on an issue we are having with them.  They want to see the packets at the time of the issues and I either can't get them, or only get one direction.

>2)  I noticed all the packets are unidirectional.  i.e. the POS are only
>listed as SOURCE IP's only.


Is this just an observation or something I should be looking into?

>3)  It's interesting that when you use telnet, you see the packets
>again.  I'm trying to resolve why that would be.   How are you capturing
>the packets?  Are you using a port mirroring from a cheap switch?  Is it
>possible that the port mirroring/span function is broken?

I've tried a few different ways of capturing the data:
        - using a Cisco 2950/2960 switch with port mirroring (only using native VLAN and no EtherChannels)and I've tried this at multiple stores
        - using a 3Com hub (true hub)
        - also tried with two different NICs, the default one in my Dell laptop and a Xircom PCMCIA card that is supposed to work really well with Sniffers
I see the same results each time.

>4)  I thought the app may have been munging with the mac addresses, but
>that doesn't seem to be the case.

>5)  When you telnet, do you see two way traffic in the trace?


I do see two way traffic when I telnet, and again, I'm using the same terminal emulation and connecting to the same server that runs the POS app.




Hansang Bae <hbae@xxxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx

04/09/2008 09:55 PM
Please respond to
Community support list for Wireshark           <wireshark-users@xxxxxxxxxxxxx>

To
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
cc
Subject
Re: [Wireshark-users] Looking for some help or advice with an issue





Charles.Neff@xxxxxxxxxx wrote:
>
> I think I made this slightly more confusing than it should be.  I'm
> gonna try to clear a few things up, then answer your questions and see
> if we can get somewhere on this.
>
> First of all:
>
> Servers - located at Corporate office
> Registers - located at seperate store locations
> WireShark - used to monitor at Store locations, on their LAN, using my
> laptop
> Issues - Wireshark does not capture response data from Server during POS
> transactions
>         - will only pick up transmitted POS traffic data from one
> register at a time (appears to be the one that logged in most recently)
>         - even when only capturing data from one register on one port,
> WireShark will no longer show data from that register once another
> register is logged in (in this case will get NO POS data since only
> monitoring the one register)
>                 - if the monitored register is logged out and back in,
> WireShark will begin picking up POS data again (only transmit data,
> still no received) as long as no other register is logged in after that
> time
> Of note - Telnet-ing (from the same register, using the same terminal
> emulator) into the POS server, but not into the actual POS application,
> will result in WireShark picking up all traffic one would expect from a
> Telnet session
>
> Everything continues to work through out the issues I'm describing with
> WireShark captures.  Each register has it's own IP address and the data
> I do capture shows these correctly.
>
> I'm attaching a capture from one of our stores (hopefully I've used
> editcap correctly... first time to use it):
>
> POS server - 192.9.200.178
> Registers - 10.200.11.31 and 10.200.11.32
>
> You can see at around 14:38 traffic is being picked up from
> 10.200.11.32, then at 14:42 traffic is picked up from 10.200.11.31.
>  During this whole capture both registers were being used regularly, not
> just at the times when traffic was captured.

Well, you actually used too small of a snaplen value.  It chopped all
TCP headers.  But some notes
1)  clearly its cosmetic or is a problem with packet capturing because
the app still works.

2)  I noticed all the packets are unidirectional.  i.e. the POS are only
listed as SOURCE IP's only.

3)  It's interesting that when you use telnet, you see the packets
again.  I'm trying to resolve why that would be.   How are you capturing
the packets?  Are you using a port mirroring from a cheap switch?  Is it
possible that the port mirroring/span function is broken?

4)  I thought the app may have been munging with the mac addresses, but
that doesn't seem to be the case.

5)  When you telnet, do you see two way traffic in the trace?


--

Thanks,
Hansang
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users