Hidden/unreported packets?
I have a mystery in which it appears Wireshark is seeing some packets from a device but not others, which I didn't think was possible.
The device (actually plural since I've now seen it on two identical devices) is an Ingenico credit card terminal. We were working with the vendor's customer support to switch the device(s) from using a phone line to using the network. I used nmap to discover the device IPv4 and MAC addresses & confirm it was connected to the network. The phone line to each device was disconnected. Wireshark and nmap both identified the MAC address prefixes as Ingenico.
Initially I filtered the Wireshark display by the device's IP address (ip.addr==X.X.X.X, IPv4 only according to the server address entered into the device for the download) but later switched to filtering by MAC address (eth.addr==XX:XX:XX:XX:XX:XX) when I didn't see all the traffic.
What's puzzling me is that I could ping the device from a Windows 10 system on the same network switch and Wireshark showed the request and response packets. However, I didn't see any packets from connections initiated by the device. The switch to using the network involved downloading a configuration file over the network and running a test transaction.
We also initiated pings through the device admin interface to 8.8.8.8. Wireshark didn't show any packets for downloading the new configuration file, the test transaction or the pings to the Google address initiated from the device. Afterwards it showed more ping traffic to the device from the computer on the same network switch. So I could see two blocks of ping packets from before and after the download, test transaction and device-generated pings, but no packets for that other activity.
I also later saw an ARP packet from the device looking for the router. I checked the DHCP leases and see only the two IP address/Ingenico MAC addresses I know about.
I hate to think I'm about to smack my head, but what explanation might there be for not being able to see the other traffic?
Ethernet capture setup - if you made a diagram of your network, which picture would it match on the Wiki page?
The traffic that you can see - is it unicast or broadcast? The ARP wiki page doesn't talk much about broadcast but it typically is. If the remaining protocols are Unicast, how would they be handled in your network architecture?
Is this traffic on Ethernet, Wi-Fi, or some other link-layer type?
If it's Wi-Fi, does this traffic display, in Wireshark as Ethernet traffic or as 802.11 traffic?
I would try to determine what type of port that the device is plugged into. ARP is a broadcast; it is sent to all ports. Only a hub sends traffic to all ports.
The capture setup is Switched Media. Both the CC terminal and the Windows 10 system running both WireShark and the Windows PowerShell used to ping the CC terminal are hardwired through the same wall faceplate to the same patch panel to the same TP-Link 24-port Smart Switch (no VLANs). The switch is hardwired via the patch panel to a Ubiquiti EdgeRouter ER-X which load-balances a pair of broadband connections. So WireShark captures pings from the Windows 10 system to the CC terminal but is not capturing traffic from the CC terminal to the vendor's server. It is however capturing other traffic on the network both local and to the WAN for other systems on the network. It's also capturing IPv6 traffic to the WAN routed through a Hurricane Electric Tunnel.
See if your switch supports How to configure Port Mirror on TP-Link Easy Smart Switches?.
The Wireshark wiki calls it monitor mode