Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Having problem tracing multiple ip addresses

From: "Robert Blair" <bob-wireshark@xxxxxxxxxxxxx>
Date: Tue, 27 Apr 2021 16:49:20 -0700
** Reply to message from Hugo van der Kooij via Wireshark-users
<wireshark-users@xxxxxxxxxxxxx> on Mon, 26 Apr 2021 07:23:43 +0000

> Bob,
> 
> My first guess would be that you never see the packets on the interface you are
> snooping on. Can you check by removing the filter and see if you get them
> unfilterered?
> Let's make sure we look at solving the right problem.
> 
> Regards, Hugo.
> 
> -----Original Message-----
> From: Wireshark-users <wireshark-users-bounces@xxxxxxxxxxxxx> On Behalf Of Robert Blair
> Sent: Friday, 23 April 2021 20:36
> To: wireshaer <wireshark-users@xxxxxxxxxxxxx>
> Subject: [Wireshark-users] Having problem tracing multiple ip addresses
> 
> I changed three IoT devices from DHCP to static addresses so I could trace all three of them.
> 
> when I enter "net 192.168.60.201" in the capture filter I get all traffic to and from the ip.
> 
> If I enter "net 192.168.60.200/30" I get all fraffic from the ip addresses but
> none going to the ip addresses.  According to the documentation at
> <https://wiki.wireshark.org/CaptureFilters> that syntax shoud capture all
> traffic going to and from the device.
> 
> Any assistance on getting the trace to work will be appreciated.

On another OS I have used IP tracing many times, on Ubuntu only two or three
times.  After seeing the trace from wireshark I now have no clue what is going
on.

When I started with these IoT devices I had both of the routers WIFI interfaces
with the same SSID and password.  This caused problems trying to configure the
IoT device, support told me to make the WIFI interfaces use different SSID.  At
that time I changed my laptop to use the 2.4ghz WIFI interface as the IoT
devices only use 2.4ghz.  So my testing has been with laptop using WIFI only,
the wired NIC was not plugged in.

These tests were run with wireshark on my laptop and using an iPad to control
the device.  The APP on the iPad communicates with a cloud program that sends
the commands to the devices and returns information to the iPad.

No wired interface and WIFI (wlp0s20f3) on the 2.4ghz interface.  Using
wireshark (capture everything and display filter the devices) the only messages
I see are the IoT device sending the broadcast to 224.0.x.x.  I had expected to
see all of the traffic to and from the device.

With the wired interface (enp1s0) and WIFI.  Using wireshark (capture
everything and display filter the devices) I see traffic only to and from my
local LAN and the broadcast messages.  Nothing to or from the internet.

-- 
Robert Blair

The Constitution is not a document for the government to restrain the people: it is an instrument for the people to restrain the government.  -- Patrick Henry