Wireshark · Wireshark-users: Re: [Wireshark-users] Looking for some help or advice with an issue

[Hansang Bae <hbae@xxxxxxxxxx>]

Charles.Neff@xxxxxxxxxx wrote:
> I think I made this slightly more confusing than it should be.  I'm 
> gonna try to clear a few things up, then answer your questions and see 
> if we can get somewhere on this.
>
> First of all:
>
> Servers - located at Corporate office
> Registers - located at seperate store locations
> WireShark - used to monitor at Store locations, on their LAN, using my 
> laptop
> Issues - Wireshark does not capture response data from Server during POS 
> transactions
>         - will only pick up transmitted POS traffic data from one 
> register at a time (appears to be the one that logged in most recently)
>         - even when only capturing data from one register on one port, 
> WireShark will no longer show data from that register once another 
> register is logged in (in this case will get NO POS data since only 
> monitoring the one register)
>                 - if the monitored register is logged out and back in, 
> WireShark will begin picking up POS data again (only transmit data, 
> still no received) as long as no other register is logged in after that 
> time
> Of note - Telnet-ing (from the same register, using the same terminal 
> emulator) into the POS server, but not into the actual POS application, 
> will result in WireShark picking up all traffic one would expect from a 
> Telnet session
>
> Everything continues to work through out the issues I'm describing with 
> WireShark captures.  Each register has it's own IP address and the data 
> I do capture shows these correctly.
>
> I'm attaching a capture from one of our stores (hopefully I've used 
> editcap correctly... first time to use it):
>
> POS server - 192.9.200.178
> Registers - 10.200.11.31 and 10.200.11.32
>
> You can see at around 14:38 traffic is being picked up from 
> 10.200.11.32, then at 14:42 traffic is picked up from 10.200.11.31. 
>  During this whole capture both registers were being used regularly, not 
> just at the times when traffic was captured.

Well, you actually used too small of a snaplen value.  It chopped all 
TCP headers.  But some notes
1)  clearly its cosmetic or is a problem with packet capturing because 
the app still works.

2)  I noticed all the packets are unidirectional.  i.e. the POS are only 
listed as SOURCE IP's only.

3)  It's interesting that when you use telnet, you see the packets 
again.  I'm trying to resolve why that would be.   How are you capturing 
the packets?  Are you using a port mirroring from a cheap switch?  Is it 
possible that the port mirroring/span function is broken?

4)  I thought the app may have been munging with the mac addresses, but 
that doesn't seem to be the case.

5)  When you telnet, do you see two way traffic in the trace?


--

Thanks,
Hansang