Ask Your Question
0

Does Wireshark captures the packets when system is in hibernation/Sleep?

asked 2017-12-21 12:43:49 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Does Wireshark captures the packets when system is in hibernation/Sleep?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-12-21 12:58:12 +0000

Jaap gravatar image

No, is there any other program that keeps running?

edit flag offensive delete link more

Comments

Thanks for the update. My system is getting auto-wake from hibernation when I connected with LAN network without any user interruption. I am suspecting some ARP packets are waking the machine from hibernation. Is there a way to verify the cause for the system auto-wake.??

You feedback will be appreciated..!!

I checked for the the windows event logs, last wake source and few more possible sources but no where it's capturing the cause for the auto-wake.

Thanks, Nagarjun

nagarjun031 gravatar imagenagarjun031 ( 2017-12-21 19:24:31 +0000 )edit

Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones. To find out whether the WOL ones are being sent to your sleeping machine, you have to use another machine to capture on the path between the sleeping machine and the rest of the network, using a hub or a port-mirroring switch.

sindy gravatar imagesindy ( 2017-12-21 19:55:24 +0000 )edit

Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones.

Some network adapters can be configured to treat non-WOL packets as wakeup packets, so that an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up, so the machine can go to sleep and still respond to incoming packets. As I remember from looking at this a while ago, Windows supports that.

Guy Harris gravatar imageGuy Harris ( 2017-12-21 20:10:47 +0000 )edit

an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up

Learning something new every day... however, this does not change the detection method needed. Run a capture on the external machine, hibernate the one which gets woken up, and stop the capture as soon as it gets woken. Then, some of the packets sent towards the sleeping machine - WOL packets, ARP requests, maybe unicast packets (sent towards a cached MAC?) - just before those sent from its MAC are the suspects. The longer it could sleep the better to find the suspects.

sindy gravatar imagesindy ( 2017-12-21 20:23:25 +0000 )edit

sent towards a cached MAC?

Not necessarily - that's why the adapters let you set a "wake me up" pattern that includes an ARP request asking for your MAC address. See, for example, Power Management for Network Devices in Windows 7.

Guy Harris gravatar imageGuy Harris ( 2017-12-21 20:41:14 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2017-12-21 12:43:49 +0000

Seen: 2,088 times

Last updated: Dec 22 '17

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2