Does Wireshark captures the packets when system is in hibernation/Sleep?
Does Wireshark captures the packets when system is in hibernation/Sleep?
asked 2017-12-21 12:43:49 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
Does Wireshark captures the packets when system is in hibernation/Sleep?
No, is there any other program that keeps running?
Thanks for the update. My system is getting auto-wake from hibernation when I connected with LAN network without any user interruption. I am suspecting some ARP packets are waking the machine from hibernation. Is there a way to verify the cause for the system auto-wake.??
You feedback will be appreciated..!!
I checked for the the windows event logs, last wake source and few more possible sources but no where it's capturing the cause for the auto-wake.
Thanks, Nagarjun
Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones. To find out whether the WOL ones are being sent to your sleeping machine, you have to use another machine to capture on the path between the sleeping machine and the rest of the network, using a hub or a port-mirroring switch.
Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones.
Some network adapters can be configured to treat non-WOL packets as wakeup packets, so that an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up, so the machine can go to sleep and still respond to incoming packets. As I remember from looking at this a while ago, Windows supports that.
an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up
Learning something new every day... however, this does not change the detection method needed. Run a capture on the external machine, hibernate the one which gets woken up, and stop the capture as soon as it gets woken. Then, some of the packets sent towards the sleeping machine - WOL packets, ARP requests, maybe unicast packets (sent towards a cached MAC?) - just before those sent from its MAC are the suspects. The longer it could sleep the better to find the suspects.
sent towards a cached MAC?
Not necessarily - that's why the adapters let you set a "wake me up" pattern that includes an ARP request asking for your MAC address. See, for example, Power Management for Network Devices in Windows 7.
Please start posting anonymously - your entry will be published after you log in or create a new account.
Asked: 2017-12-21 12:43:49 +0000
Seen: 2,445 times
Last updated: Dec 22 '17