I've got a case where I'm certain there are packets on the wire, but I'm
not able to pick them up in wireshark/tshark (or from tcpdump and dumpcap
either for that matter).
The setup:
a device (that is currently under development -- I'm the developer)
appears to be flooding the network with some kind of packet, but the
device itself appears to be off line i.e. `ip addr` reports no address for
the interface and indicates that its 'state' is down. The packet flood is
enough to DOS the rest of my LAN (unless I segregate or isolate it) and
the flood stops when I disconnect the device from the LAN.
The evidence:
* the local switch shows flashing activity lights on the port
the device is connected to.
* I've inserted a sharktap device in-line between the device and the
switch -- activity lights flash on all ports there as well.
The problem:
* I can't sniff these packets.
I have command line/console access on the device itself, but running
tcpdump there doesn't show the packet flood. I presume this is because
the ethernet driver is not reporting anything back to the kernel because
it thinks it's down.
I have a laptop, running the latest wireshark, connected to the tap port
on the sharktap, but it's not showing me the flood either (it IS running
in promiscuous mode and DOES show me other packets that might be on the
wire).
For what it's worth, I've even connected the device directly to the laptop
w/o the switch or tap and I see the same thing: nothing.
How can I determine what's on the network? It's very clear that there ARE
packets on the network based on the activity lights and the resulting DOS
from the flood.
_______________________________________________________
Alan Partis
thundernet development group