I'm trying to capture a SSLv3 encrypted connection between a target device I'm developing using a PIC32 micro and the Microchip TCP/IP stack (v5.41) + Encryption(v2.6) using Wireshark(v1.6.8). I'm connecting to an openSSL loopback server setup for development testing.

When I capture the trace, Wireshark displays only the outgoing packets from my device to the server and does not display the packets from the server to my device. This condition also occurs when I try to connect to the same server using a PC with OpenSSL installed.

I'm using a Cisco 2940 switch with one port setup as a SPAN port to monitor the target port and can see normal packet tracing for other operations.

Test:
1. Begin monitoring on the Wireshark PC.
2. On the OpenSSL client PC (WinXP) (connected to the target port) in a command window, enter:
3. openssl s_client –tls1 –debug –msg –connect 184.106.243.199:8100
4. (exit openssl with ^C)

What I see in Wireshark with filter: ip.addr == 184.106.243.199 and decoding packets as SSL is the following:

15051 1192.225736 192.168.40.118        184.106.243.199       TCP      62     icap > xprint-server [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1  
15052 1192.238143 192.168.40.118        184.106.243.199       TCP      60     icap > xprint-server [ACK] Seq=1 Ack=1 Win=65535 Len=0  
15053 1192.239998 192.168.40.118        184.106.243.199       TLSv1    281    Client Hello  
15072 1192.960738 192.168.40.118        184.106.243.199       TCP      60     icap > xprint-server [ACK] Seq=228 Ack=892 Win=64644 Len=0  
15081 1193.011324 192.168.40.118        184.106.243.199       TLSv1    321    Client Key Exchange  
15091 1193.224782 192.168.40.118        184.106.243.199       TLSv1    113    Change Cipher Spec, Encrypted Handshake Message  
15102 1193.398381 192.168.40.118        184.106.243.199       TCP      60     icap > xprint-server [ACK] Seq=554 Ack=951 Win=64585 Len=0  
15567 1241.651443 192.168.40.118        184.106.243.199       TCP      60     icap > xprint-server [RST, ACK] Seq=554 Ack=951 Win=0 Len=0

To verify I'm not crazy, I also tried connecting to the google secure server on port 443 as below.
Test:
1. Begin monitoring on the Wireshark PC.
2. On the OpenSSL client PC (WinXP) in a command window, enter:
3. openssl s_client –tls1 –debug –msg –connect 173.194.73.105:443

What I see in Wireshark with filter: ip.addr == 184.106.243.199 and decoding packets as SSL is the following:

92 3.762313    192.168.40.118        173.194.73.105        TCP      62     ewall > https [SYN] Seq=0 Win=65535 Len=0 MSS=1460 SACK_PERM=1  
93 3.804021    173.194.73.105        192.168.40.118        TCP      62     https > ewall [SYN, ACK] Seq=0 Ack=1 Win=14300 Len=0 MSS=1380 SACK_PERM=1  
94 3.804320    192.168.40.118        173.194.73.105        TCP      60     ewall > https [ACK] Seq=1 Ack=1 Win=65535 Len=0  
95 3.806236    192.168.40.118        173.194.73.105        TLSv1    281    Client Hello  
100 3.848685    173.194.73.105        192.168.40.118        TCP      60     https > ewall [ACK] Seq=1 Ack=228 Win=15008 Len=0  
101 3.852786    173.194.73.105        192.168.40.118        TLSv1    1434   Server Hello  
102 3.855217    173.194.73.105        192.168.40.118        TLSv1    592    Certificate, Server Key Exchange, Server Hello Done  
103 3.855614    192.168.40.118        173.194.73.105        TCP      60     ewall > https [ACK] Seq=228 Ack=1919 Win=65535 Len=0  
135 4.885909    192.168.40.118        173.194.73.105        TLSv1    129    Client Key Exchange  
140 4.966594    173.194.73.105        192.168.40.118        TCP      60     https > ewall [ACK] Seq=1919 Ack=303 Win=15008 Len=0  
141 4.966922    192.168.40.118        173.194.73.105        TLSv1    101    Change Cipher Spec, Encrypted Handshake Message  
142 5.008089    173.194.73.105        192.168.40.118        TCP      60     https > ewall [ACK] Seq=1919 Ack=350 Win=15008 Len=0  
143 5.009382    173.194.73.105        192.168.40.118        TLSv1    264    Encrypted Handshake Message, Change Cipher Spec, Encrypted Handshake Message  
148 5.152751    192.168.40.118        173.194.73.105        TCP      60     ewall > https [ACK] Seq=350 Ack=2129 Win=65325 Len=0  
316 9.829701    192.168.40.118        173.194.73.105        TCP      60     ewall > https [RST, ACK] Seq=350 Ack=2129 Win=0 Len=0

Does anyone have any thoughts on why Wireshark does not seem to display the packets coming from a server on port 8100?

Thanks, Bill

asked 01 Jun '12, 17:25

William%20Powell's gravatar image

William Powell
1113
accept rate: 0%

edited 08 Jun '12, 14:27

  1. did you use any capture filter?
  2. what is the network setup? client pc -- switch -- ???? -- 184.106.243.199
  3. are there several interfaces on the client pc?
  4. if you ping 184.106.243.199 from the client pc, do you see the request and the reply in wireshark?
(02 Jun '12, 02:03) Kurt Knochner ♦

1.I did not use any capture filter (unless there is a default that is being used by Wireshark), just a display filter. Is there a way for me to verify no capture filter is being used?
2.I'm not sure of the network setup after the Cisco 2940 switch. I believe it is connected to another Cisco switch that is using VLANs and then ... eventually gets to the internet.
3.There is a single Ethernet interface on the client PC
4.Tried a ping this morning and I can see both outgoing and incoming ICMP messages.

(04 Jun '12, 06:52) William Powell

Is there a way for me to verify no capture filter is being used?

There is no default filter. Please check this: Capture -> Options -> Capture Filter (looks totally different in 1.7.x).

4.Tried a ping this morning and I can see both outgoing and incoming ICMP messages.

Just to be sure. You do see both ICMP messages in wireshark (attached to a mirror port on a switch), but you don't see a TCP reply (SYN-ACK and others) with the same wireshark setup to the same endpoint? HOWEVER, you do see bidirectional traffic from the same client (with the same wireshark setup) to google?

(04 Jun '12, 07:22) Kurt Knochner ♦

Opened the capture options dialog and I don't see anything specified.

On your last question:
- I do see both incoming and outgoing ICMP per the trace above,
- I do NOT see both incoming and outgoing TCP to the same endpoint using the ssl test command.
- I do see bidirectional traffic from the same client and wireshart setup when connected to google using the ssl test command.

(04 Jun '12, 08:39) William Powell

Here is the ping trace with display filter ip.addr == 184.106.243.199
160 14.143801 192.168.40.118 184.106.243.199 ICMP 74 Echo (ping) request id=0x0200, seq=59650/745, ttl=128
161 14.154775 184.106.243.199 192.168.40.118 ICMP 74 Echo (ping) reply id=0x0200, seq=59650/745, ttl=115
184 15.129103 192.168.40.118 184.106.243.199 ICMP

(04 Jun '12, 08:40) William Powell

One thing that might provide a clue is that port 8100 is listed as a registered port in the IANA list - Xprint Server, which sounds like something Wireshark might want to filter out (e.g. incoming traffic). I'm not sure why the test server is on this port.

(04 Jun '12, 10:04) William Powell
showing 5 of 6 show 1 more comments

Please check if the mirror port on your switch is configured for both directions (ingress and outgress).

Please run this command and post the result here:

show monitor

and/or

show monitor session <n>

where <n> is the monitor session number (<n> can be the string: all).

You should NOT see any of these strings in the output (except it is intended ;-)): RX Only or TX only.

BTW: What do you see if you change the display filter from ip.addr to:

tcp.port eq 8100

Regards
Kurt

link

answered 04 Jun '12, 07:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
16.9k732166
accept rate: 15%

edited 04 Jun '12, 08:02

Here's the show monitor output:

sh mon

Session 1

Type : Local Session
Source Ports :
Both : Fa0/3
Destination Ports : Fa0/2
Encapsulation : DOT1Q
Ingress: Enabled, default VLAN = 40
Ingress encapsulation: DOT1Q

(04 Jun '12, 08:41) William Powell

why is dot1q encapsulation enabled?

(04 Jun '12, 08:55) Kurt Knochner ♦

When I set the filter to tcp.port eq 8100, I see only the outgoing packets from the client PC, but the SSL connection is made, indicating incoming packets were received.

(04 Jun '12, 10:41) William Powell

We enabled dot1q encapsulation to see if it made a difference and forgot to remove it.

(04 Jun '12, 10:42) William Powell

can you please remove dot1q encapsulation and then retry.

According to the information you gave, there is (yet) no plausible reason why you can't see the answer packets.

May I ask for some further information, just to double check:

  • is port Fa0/3 the one where your client PC is connected to
  • client pc: route print
  • client pc: ipconfig /all
  • Please use this command to sniff the traffic (wireshark pc):

tshark -n -i <N> -w c:\output.cap host 184.106.243.199
Use tshark -D to get the interface ID (option -i <N>)

What do you see in the capture file now?
Can you post a sample capture with the TCP connection and the ping test?

(04 Jun '12, 15:21) Kurt Knochner ♦
  • port Fa0/3 is the client PC
(04 Jun '12, 16:56) William Powell

I apologize for the poor formatting quality of these posting. I can't seem to figure out how to do the markdown...

Route print:

Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 ed 5c d4 ...... Intel(R) PRO/1000 MT Network Connection - Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.40.1 192.168.40.117 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.40.0 255.255.255.0 192.168.40.117 192.168.40.117 20
192.168.40.117 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.40.255 255.255.255.255 192.168.40.117 192.168.40.117 20
224.0.0.0 240.0.0.0 192.168.40.117 192.168.40.117 20
255.255.255.255 255.255.255.255 192.168.40.117 192.168.40.117 1
Default Gateway: 192.168.40.1
===========================================================================
Persistent Routes:
None

(04 Jun '12, 17:07) William Powell

At one point, I believe the client PC had a MAC miniport driver (e.g. the -Teefer Miniport in the listing above, but I've checked and there is only one ethernet card in the PC.

(04 Jun '12, 17:09) William Powell

IP config all: Windows IP Configuration

    Host Name . . . . . . . . . . . . : 1000IND
    Primary Dns Suffix  . . . . . . . : indesign.net
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : indesign.net
                                        indesign.net

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : indesign.net
    Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
    Physical Address. . . . . . . . . : 00-0D-56-ED-5C-D4
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.40.117
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.40.1
    DHCP Server . . . . . . . . . . . : 192.168.10.35
    DNS Servers . . . . . . . . . . . : 192.168.10.29
                                        192.168.10.35
    Lease Obtained. . . . . . . . . . : Monday, June 04, 2012 7:27:04 PM
    Lease Expires . . . . . . . . . . : Tuesday, June 12, 2012 7:27:04 PM
(04 Jun '12, 17:10) William Powell

Capture file still shows only outgoing packets and bidirectional Ping. How do I upload the output.cap file?

(04 Jun '12, 17:27) William Powell

Here's the capture file as a hexadecimal text output. I tested by using File->Import using hex option, and it gave me the same display as if I opened the output.cap file:


0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 30 43 66 40 00 80 06 22 12 c0 a8 28 75 b8 6a .0Cf@..."...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 12 28 00 00 00 00 70 02 .......7.(....p. 0030 ff ff 15 13 00 00 02 04 05 b4 01 01 04 02 ..............

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 28 43 67 40 00 80 06 22 19 c0 a8 28 75 b8 6a .(Cg@..."...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 12 29 40 d6 df ab 50 10 .......7.)@...P. 0030 ff ff 21 45 00 00 00 00 00 00 00 00 ..!E........

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 01 0b 43 68 40 00 80 06 21 35 c0 a8 28 75 b8 6a ..Ch@...!5..(u.j 0020 f3 c7 05 b9 1f a4 a1 37 12 29 40 d6 df ab 50 18 .......7.)@...P. 0030 ff ff b8 93 00 00 16 03 01 00 de 01 00 00 da 03 ................ 0040 01 4f cd 50 5c a3 a7 4a 28 5c 12 3b f0 14 22 f9 .O.P..J(.;..". 0050 48 8d 30 cb 09 40 df 1c d1 62 48 c9 54 da 60 a4 H.0..@...bH.T.. 0060 b6 00 00 68 c0 14 c0 0a c0 22 c0 21 00 39 00 38 ...h.....".!.9.8 0070 00 88 00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 .........5...... 0080 c0 1c c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 ................ 0090 c0 09 c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 .......3.2.....E 00a0 00 44 c0 0e c0 04 00 2f 00 96 00 41 00 07 c0 11 .D...../...A.... 00b0 c0 07 c0 0c c0 02 00 05 00 04 00 15 00 12 00 09 ................ 00c0 00 14 00 11 00 08 00 06 00 03 00 ff 01 00 00 49 ...............I 00d0 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 00 0e ...........4.2.. 00e0 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 00 16 ................ 00f0 00 17 00 08 00 06 00 07 00 14 00 15 00 04 00 05 ................ 0100 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 00 11 ................ 0110 00 23 00 00 00 0f 00 01 01 .#.......</p> <p>0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 28 43 6b 40 00 80 06 22 15 c0 a8 28 75 b8 6a .(Ck@..."...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 13 0c 40 d6 e3 26 50 10 .......7..@..&amp;P. 0030 fc 84 20 62 00 00 00 00 00 00 00 00 .. b........</p> <p>0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 01 33 43 6c 40 00 80 06 21 09 c0 a8 28 75 b8 6a .3Cl@...!...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 13 0c 40 d6 e3 26 50 18 .......7..@..&amp;P. 0030 fc 84 7b dc 00 00 16 03 01 01 06 10 00 01 02 01 ..{............. 0040 00 4c ff 3b 8f 9d 36 a5 25 8e fb 7d 80 9e af 37 .L.;..6.%..}...7 0050 f8 67 0c 78 6c 11 04 cd b0 e4 fa a6 7c 2a 59 b6 .g.xl.......|<em>Y. 0060 db 7f 1d 2d 0f 08 6b 79 02 1a 50 a5 e8 be a6 92 ...-..ky..P..... 0070 ac 1e 69 59 94 77 5a fc bd 08 21 61 bd 94 c7 0a ..iY.wZ...!a.... 0080 bb 39 bc 75 e3 f7 de f3 f3 97 d9 6c 88 a9 8c b2 .9.u.......l.... 0090 28 3d f1 83 13 6e 52 7e 00 1d 6a 52 88 c2 47 1e (=...nR~..jR..G. 00a0 ed 66 7a aa 98 b5 c1 db 2b 37 65 6a 41 4f e6 ad .fz.....+7ejAO.. 00b0 62 eb 0b 23 d3 28 35 dc a3 ef b7 26 03 74 16 8c b..#.(5....&amp;.t.. 00c0 4c 04 d4 d5 cc 50 b5 35 d1 aa 51 eb cd 31 19 50 L....P.5..Q..1.P 00d0 5f f9 cd c1 89 48 0f a3 0b 72 39 04 6f cd 21 e8 _....H...r9.o.!. 00e0 53 1a 60 72 9a 2b d1 e5 79 b2 83 53 ec 19 e2 d0 S.r.+..y..S.... 00f0 fa 84 c6 29 ab c4 f7 d5 bd 0e 67 32 40 85 4f 16 ...)......g2@.O. 0100 f3 f8 9a 03 c1 19 05 3a 14 2a cb a7 ed 7e 04 fd .......:....~.. 0110 17 56 ca be 02 09 ba 72 c8 af 9d 0a 4c d4 25 8c .V.....r....L.%. 0120 69 a3 28 a1 99 e1 65 4a 1f 7b f3 1c e8 67 75 4b i.(...eJ.{...guK 0130 4b 33 c0 b2 72 56 df 6f c0 96 bc 02 1d 40 84 5e K3..rV.o.....@.^ 0140 13 .

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 63 43 6d 40 00 80 06 21 d8 c0 a8 28 75 b8 6a .cCm@...!...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 14 17 40 d6 e3 26 50 18 .......7..@..&P. 0030 fc 84 36 23 00 00 14 03 01 00 01 01 16 03 01 00 ..6#............ 0040 30 bd 04 9b cd 2a 6b 4e 4b 71 cf 78 ca 82 ab 6d 0....*kNKq.x...m 0050 0c 77 18 8d 97 a9 f2 7c be 33 5e 02 23 04 d9 e5 .w.....|.3^.#... 0060 17 9f 2c 80 f8 da 8c c4 7f 9e 9e 4c a1 74 21 d4 ..,........L.t!. 0070 4a J

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 28 43 6e 40 00 80 06 22 12 c0 a8 28 75 b8 6a .(Cn@..."...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 14 52 40 d6 e3 61 50 10 .......7.R@..aP. 0030 fc 49 1f 1c 00 00 00 00 00 00 00 00 .I..........

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 28 43 6f 40 00 80 06 22 11 c0 a8 28 75 b8 6a .(Co@..."...(u.j 0020 f3 c7 05 b9 1f a4 a1 37 14 52 40 d6 e3 61 50 14 .......7.R@..aP. 0030 00 00 1b 62 00 00 00 00 00 00 00 00 ...b........

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 3c 43 7c 00 00 80 01 61 f5 c0 a8 28 75 b8 6a .<C|....a...(u.j 0020 f3 c7 08 00 34 5c 02 00 17 00 61 62 63 64 65 66 ....4....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 0d 56 ed 5c d4 00 25 b4 37 58 44 08 00 45 00 ..V...%.7XD..E. 0010 00 3c 38 a1 00 00 73 01 79 d0 b8 6a f3 c7 c0 a8 .<8...s.y..j.... 0020 28 75 00 00 3c 5c 02 00 17 00 61 62 63 64 65 66 (u..<....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 3c 43 7d 00 00 80 01 61 f4 c0 a8 28 75 b8 6a .<C}....a...(u.j 0020 f3 c7 08 00 33 5c 02 00 18 00 61 62 63 64 65 66 ....3....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 0d 56 ed 5c d4 00 25 b4 37 58 44 08 00 45 00 ..V...%.7XD..E. 0010 00 3c 38 d9 00 00 73 01 79 98 b8 6a f3 c7 c0 a8 .<8...s.y..j.... 0020 28 75 00 00 3b 5c 02 00 18 00 61 62 63 64 65 66 (u..;....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 3c 43 7e 00 00 80 01 61 f3 c0 a8 28 75 b8 6a .<C~....a...(u.j 0020 f3 c7 08 00 32 5c 02 00 19 00 61 62 63 64 65 66 ....2....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 0d 56 ed 5c d4 00 25 b4 37 58 44 08 00 45 00 ..V...%.7XD..E. 0010 00 3c 38 f4 00 00 73 01 79 7d b8 6a f3 c7 c0 a8 .<8...s.y}.j.... 0020 28 75 00 00 3a 5c 02 00 19 00 61 62 63 64 65 66 (u..:....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 25 b4 37 58 44 00 0d 56 ed 5c d4 08 00 45 00 .%.7XD..V....E. 0010 00 3c 43 7f 00 00 80 01 61 f2 c0 a8 28 75 b8 6a .<C.....a...(u.j 0020 f3 c7 08 00 31 5c 02 00 1a 00 61 62 63 64 65 66 ....1....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi

0000 00 0d 56 ed 5c d4 00 25 b4 37 58 44 08 00 45 00 ..V...%.7XD..E. 0010 00 3c 39 51 00 00 73 01 79 20 b8 6a f3 c7 c0 a8 .<9Q..s.y .j.... 0020 28 75 00 00 39 5c 02 00 1a 00 61 62 63 64 65 66 (u..9....abcdef 0030 67 68 69 6a 6b 6c 6d 6e 6f 70 71 72 73 74 75 76 ghijklmnopqrstuv 0040 77 61 62 63 64 65 66 67 68 69 wabcdefghi <\code>

(04 Jun '12, 17:44) William Powell

that looks all pretty much O.K. I don't see a plausible reason why it does not work.

Now, there are only a few options left.

  • try connect your wireshark PC to a different port on the switch and sniff there
  • don't sniff the port of your client PC (Fa0/3). Try to sniff the port where your default gateway is connected
  • if there is any security software installed on the wireshark pc (Desktop Firewall, Antivirus, any other security software), disable that software and try again.
  • use another sniffer PC
(04 Jun '12, 21:11) Kurt Knochner ♦

Kurt, Thanks for all of your help with troubleshooting this problem.

I'll try your suggestions above, but I'm not hopeful.
Originally, we tried the same sniffing on a Windows 7 PC and had the same result with a different Cisco 2490 switch (configured in the same way).
I'm really hoping someone who has openssl installed will be able to try the tests in my original post and duplicate the results to eliminate the possibility that it is something in my network configuration.

(05 Jun '12, 08:39) William Powell

Do you have openssl installed on your PC? If you wanted to try the test for yourself, we got our opensll installation from the following site: http://slproweb.com/products/Win32OpenSSL.html
and downloaded the Win32 OpenSSL v1.1.1c and Visual C++ Redistributable.

Thanks again for your help.

(05 Jun '12, 08:41) William Powell

Does anyone have openssl installed and is willing to try the openssl tests and wireshark capture indicated in the original question above?

(05 Jun '12, 08:42) William Powell
1

Done. It works as expected. There is no reason why it should not work. After all, you do see one half of the whole TCP connection in Wireshark.

Again, there must be a yet unknown problem with your sniffer setup. Either it's the switch or it's the sniffer PC. Try sniffing on the client PC, it nothing else works.

Very strange effect... I'm sorry, but I'm running out of ideas. Maybe someone else here wants to pick up?

(05 Jun '12, 10:09) Kurt Knochner ♦

Thanks for trying the test and confirming that something is going on on my network or my sniffer PC.
You've been a great help :)
I'll post if I figure out what is going on ...

(05 Jun '12, 12:12) William Powell

O.K. final option: Get a live image of BackTrack 5R2 (contains Wireshark) and run it on your sniffer PC.

http://www.backtrack-linux.org/tutorials/usb-live-install/

You can also try YUMI. It's a very nice tool to create a bootable flash drive with a ton of different linux systems (including BT5R2) on a stick.

http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

Boot your sniffer PC from the stick and use Wireshark. If that does not eliminate the problem, there is either something wrong with your switch, OR somebody sold you a filtering patch cable ;-)

(05 Jun '12, 12:25) Kurt Knochner ♦
showing 5 of 18 show 13 more comments

What kind of software is running on the sniffer PC? There are quite a few issues with interfering software, of of which might cause this effect.

It is best to use a system as clean as possible to do the capturing. Running a LiveCD/USB-stick with a linux distribution (as Kurt suggested) is a good way to find out with your current Sniffer PC if it is indeed receiving all data from the Span port.

link

answered 05 Jun '12, 15:33

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848217
accept rate: 19%

Oh BTW, I also did run a test with OpenSSL against the SSL loopback server and saw traffic in both directions (captured on my client, not on a span-port):

0.000000 192.168.1.22 -> 184.106.243.199 TCP 65023 > 8100 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=2 TSval=626775089 TSecr=0 SACK_PERM=1
0.115303 184.106.243.199 -> 192.168.1.22 TCP 8100 > 65023 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 SACK_PERM=1 TSval=901301967 TSecr=626775089
0.115387 192.168.1.22 -> 184.106.243.199 TCP 65023 > 8100 [ACK] Seq=1 Ack=1 Win=65535 Len=0 TSval=626775090 TSecr=901301967
(05 Jun '12, 15:35) SYN-bit ♦♦
1

Finally...

After Kurt and SYN-bits suggestion to get a clean PC and Kurt's ability to do the openssl test successfully, I increased my focus on the sniffer PC and potential interfering software.

On the sniffing PC, Symantec Endpoint Protection is installed. I talked to our IT group and we examined the endpoint protection rules but did not find anything specifically related to port 8100. However, I found a computer that I could temporarily disable the Symantec "Network Threat Protection" and I'm now able to see outgoing AND incoming packets on port 8100. Looks like I'll need to ask our IT group to provide a rule for the Endpoint Protection software to allow this port.

Thanks to everyone for their help to investigate this problem and finding a solution.

(06 Jun '12, 10:26) William Powell

Thanks for all the answers and good suggestions. They were helpful in tracking down the problem. Sorry to not have posted this answer sooner.

After SYN-bit proved that openSSL worked with the server, I continued to investigate with our IT department and found that the Symantec Endpoint protection (on the Wireshark PC) had a filter that was denying incoming access to port 8100 (and other ports) for traffic not originating from the PC to that IP/port resulting in Wireshark not being able to trace the returning packets.

(25 Sep '12, 13:35) William Powell

McAfee Users:

In McAfee there is a binding within the Interface settings that needs to be unchecked to allow for full TX & RX capture:

McAfee NDIS Intermediate Filter Miniport

Regards.

link

answered 25 Sep '12, 11:55

Jamie_Atkins's gravatar image

Jamie_Atkins
1
accept rate: 0%

Trend Micro Deep Secure users:

Uncheck "Trend Micro LightWeight Filter Driver" at the adapter.

(09 Apr, 03:31) kaj
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×303
×163
×1
×1

Asked: 01 Jun '12, 17:25

Seen: 5,449 times

Last updated: 09 Apr, 03:31

powered by OSQA