Wireshark-users: Re: [Wireshark-users] Looking for some help or advice with an issue
Date: Mon, 7 Apr 2008 15:41:46 -0500

I think I made this slightly more confusing than it should be.  I'm gonna try to clear a few things up, then answer your questions and see if we can get somewhere on this.

First of all:

Servers - located at Corporate office
Registers - located at seperate store locations
WireShark - used to monitor at Store locations, on their LAN, using my laptop
Issues - Wireshark does not capture response data from Server during POS transactions
        - will only pick up transmitted POS traffic data from one register at a time (appears to be the one that logged in most recently)
        - even when only capturing data from one register on one port, WireShark will no longer show data from that register once another register is logged in (in this case will get NO POS data since only monitoring the one register)
                - if the monitored register is logged out and back in, WireShark will begin picking up POS data again (only transmit data, still no received) as long as no other register is logged in after that time
Of note - Telnet-ing (from the same register, using the same terminal emulator) into the POS server, but not into the actual POS application, will result in WireShark picking up all traffic one would expect from a Telnet session

>So the original POS is still working?  This is critical so we need to
>konow.  It almost sounds like you are behind a NAT and you *think* you
>are seeing the same IP, but at the TCP level, they are different
>conversations.  What does "Statistics, Conversation List" say?


Everything continues to work through out the issues I'm describing with WireShark captures.  Each register has it's own IP address and the data I do capture shows these correctly.

I'm attaching a capture from one of our stores (hopefully I've used editcap correctly... first time to use it):

POS server - 192.9.200.178
Registers - 10.200.11.31 and 10.200.11.32

You can see at around 14:38 traffic is being picked up from 10.200.11.32, then at 14:42 traffic is picked up from 10.200.11.31.  During this whole capture both registers were being used regularly, not just at the times when traffic was captured.



=================================
Charley Neff
Communications Analyst
1200  IH 35 N.
San Marcos, Texas 78666
512-395-6676
512-805-6819 (Fax)
=================================
http://www.mccoys.com



Hansang Bae <hbae@xxxxxxxxxx>
Sent by: wireshark-users-bounces@xxxxxxxxxxxxx

04/04/2008 10:09 PM

Please respond to
Community support list for Wireshark           <wireshark-users@xxxxxxxxxxxxx>

To
Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
cc
Subject
Re: [Wireshark-users] Looking for some help or advice with an issue





Charles.Neff@xxxxxxxxxx wrote:
>
> I've been using Wireshark (ethereal before the change) for a few years
> now to help track down possible network issues, and something I've
> noticed through out is now becoming a problem that I need some help with.
>
> When capturing POS traffic off of registers, locally at my remote
> locations, I'm getting strange results as far as loss of packet info to
> different degrees.

Wait, I'm confused.  The POS are remote and you are capturing from a
central location?


> We use FacetWin terminal emulation for our custom POS system that uses
> telnet.  When monitoring the tcp traffic from a register, I'm not seeing
> the echoed responses from the POS server, only the transmitted data from
> the registers.  

When the telnet client connects, it will exchange what it can and can't
do.  You should see them as "IAC blah"  (IAC == Interpret As Command)


> Also, I will lose traffic from one register completely
> if another session of FacetWin is started on another register, and I
> will begin to only see the data from that second register, even though
> the initial register is still being used.  This will continue to happen
> as new sessions are opened on different or previous registers.

So the original POS is still working?  This is critical so we need to
konow.  It almost sounds like you are behind a NAT and you *think* you
are seeing the same IP, but at the TCP level, they are different
conversations.  What does "Statistics, Conversation List" say?


> Using the same FacetWin program but changing the login info so that I am
> telneted into the POS server with my username (as opposed to just
> logging in as a register), I can see all traffic as I should and it will
> never drop or be replaced by another session.  As soon as the POS side
> of the server is accessed for transactions, the problem occurs.


I'm not sure what the last sentence means.

>
> These issues are happening with the Credit/Debit Signature pads that we
> have recently attempted to rollout with issues of lock ups, and the loss
> of traffic data is making it difficult to capture packets at the time of
> a lockup.  These pads are connecting to the same server as the registers.
>
> I'm running the sniffer locally, on a Cisco switch with port mirroring
> turned on.  I've also tried using a straight hub.  I've monitored the
> router port, and I've tried monitoring only one port for one register at
> a time.  I'm not filtering any of the data, just trying to capture
> everything.  We are using Wyse terminals for the registers, and as I
> said FacetWin for terminal emulation.  The POS server is Unix based.
>
> Given the way this problem presents itself, and some research I've done,
> I'm leaning towards the issue somehow being caused by the POS
> programming, but I don't know how it would be effecting the packets, or
> changing them so they wouldn't be picked up by Wireshark.  


That would be impossible *unless*  the program uses its own framing.
And that's not very likely.  So the question is:  when the IP is
hijacked (from your perspective), do the others continue to work?


>
> Since I'm on the network side, I'm going to need some compelling
> information or ideas to get anywhere with the programmers on figuring
> this out.
>
> If anyone has any suggestions or ideas, please let me know.  At this
> point I am truely greatful for any and all help.

can you upload some sample captures?  You can use editcap to chop off
everything besides the headers.


--

Thanks,
Hansang
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Attachment: Store11cap.pcap
Description: Binary data