Ask Your Question
0

USB Capture Of Ethernet Traffic Using Sharktap

asked 2019-07-11 20:06:09 +0000

JV gravatar image

I'm new to wireshark and sharktap so please forgive if this is a silly question or has been previously answered. I'm trying to capture Ethernet data between a HMI screen and a PLC using a Sharktap USB but have to send the data through a usb converter as my computer doesn't have an Ethernet port. The IP addresses of the HMI and PLC aren't showing up but rather I'm getting new IP addresses assigned by the host. Is there any way to see the original IP addresses so that I can more easily analyze the traffic? Thanks in advance for any help.

edit retag flag offensive close merge delete

Comments

Is your setup like this:

         Ethernet
HMI ---------------- PLC
             |
             |
         SharkTap
             |
             | USB
             |
           Laptop

Where does the Laptop USB to Ethernet adaptor fit in?

grahamb gravatar imagegrahamb ( 2019-07-11 20:36:29 +0000 )edit

The PLC is connected via a switch but otherwise yes. I also tried using the Ethernet tap on the Sharktap to run to a Ethernet to USB adapter and then to the laptop. Both methods yielded the same result.

JV gravatar imageJV ( 2019-07-12 13:06:31 +0000 )edit

UPDATE*

A coworker with a different laptop was able to capture the traffic as intended with the proper IP addresses. When he plugs the Sharktap into his laptop, "Ethernet" channel appears in the Wireshark main window. So now it's a question of does his computer have a plugin or driver that mine doesn't or did I miss an option on install?

JV gravatar imageJV ( 2019-07-12 19:24:57 +0000 )edit

According to http://www.midbittech.com/usb/USB%20S..., you may need to restart the capture driver. Also, which capture driver do you have installed (WinPcap or Npcap) vs. which one is installed on the laptop that works? If it's npcap, then you might need to "net stop npcap", "net start npcap" instead of "net stop npf", "net start npf". Alternatively, if the drivers differ between machines, you could try to uninstall the one that doesn't work and install the one that does?

cmaynard gravatar imagecmaynard ( 2019-07-12 19:47:13 +0000 )edit

I was using USBPcap. Wireshark also has "Npcap loopback adapter" but it never showed anything during capture. I will determine the difference between laptops and see where to go from there.

JV gravatar imageJV ( 2019-07-12 19:57:58 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
0

answered 2019-07-15 20:45:43 +0000

JV gravatar image

Final Update

The "turn it off and turn it back on again" strikes again. For whatever reason, uninstalling everything and reinstalling (nothing different on options selected) was the solution. I can see the true IP addresses and the packets of data are coming in properly. Thank you everyone for your help!

edit flag offensive delete link more
0

answered 2019-07-11 22:40:48 +0000

Guy Harris gravatar image

Reading the SharkTapUSB 10/100/1G Quick Start Guide, it appears that, if you plug the SharkTap into a computer's USB port, it will appear as a (USB-attached) Ethernet adapter if your operating system has a driver that supports the ASIX AX88179 Gigabit Ethernet Adapter chip they use, so you would just capture on that Ethernet adapter. No separate "USB converter" is required. They also indicate that both Windows and "recent Linux distributions" have drivers for that adapter chip.

edit flag offensive delete link more

Comments

My laptop does support the built in chip. I've tried both methods with the same results.

JV gravatar imageJV ( 2019-07-12 13:04:16 +0000 )edit
0

answered 2019-07-11 21:57:52 +0000

SYN-bit gravatar image

I took a look at the the website of the makers of the SharkTap. It seems that the SharkTap USB has a built-in USB-Ethernet adapter so you do not need to add an external one. What is the reason you are using a separate one? Did you also try using the built-in USB-ethernet adapter to capture on?

As for not seeing the IP adresses of the HMI and PLC, are they both directly connected to the SharkTap NETWORK interfaces? So no switches, hubs etc involved? If so, did you enable "Promiscuous mode" on the capture interface (the external USB-Ethernet adapter)? And do you know for sure this adapter supports "promiscuous mode"?

edit flag offensive delete link more

Comments

I've tried both the external and the built in on the Sharktap. Both rendered the same result. The system has a switch as well and I placed the Sharktap in between the HMI and the switch. I would have to look into whether or not the adapter supports promiscuous mode.

JV gravatar imageJV ( 2019-07-12 12:37:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-07-11 20:06:09 +0000

Seen: 257 times

Last updated: Jul 15