Why can't I see traffic between another computer and its Ethernet peripheral?

asked 2022-08-30 12:26:30 +0000

Magicbean gravatar image

updated 2022-08-30 13:36:56 +0000

grahamb gravatar image

I have a Windows 11 PC A connected to an Ethernet switch. Also connected to the switch is a CAN-bus-to-Ethernet bridge. PC A sends and receives TCP packets (mostly) successfully to the CAN-Ethernet bridge.

For some reason I don't understand I can't run npcap on computer A so I have also connected two other computers B and C to the same Ethernet switch both running Wireshark.

I can ping the CAN-Ethernet bridge form PCs B and C. But why can't I see any TCP packets going between PC A and the CAN-Ethernet bridge?

If I ping the CAN-Ethernet bridge, I can see the pings in Wireshark but only on the laptop doing the pinging. I don't seem to be able to capture any packets going between PC A and the CAN-Ethernet bridge (although they are communicating with each other) with WireShark on computers B or C.

If, however, I run the application on PC B or C as well as WireShark, then that computer can see the traffic between the application and the CAN-Ethernet bridge.

What do I have to do to be able to able to see the TCP packets on a computer which isn't communicating with the CAN-Ethernet bridge?


answered 2022-08-30 13:14:31 +0000

Jaap gravatar image

updated 2022-08-30 13:14:48 +0000

i.e. it's a switch, you will normally see only traffic that traverses the switch ports you're capturing on, so neither PC B or C will see the traffic between PC A and the CAN Ethernet bridge.

grahamb gravatar imagegrahamb ( 2022-08-30 13:39:04 +0000 )edit

Ah ok, thanks @grahamb, I didn't realise that; I'm sure I had this working many years ago so I started thinking it should work. I have just looked it up again and found that it used to work but now is generally not possible so thank you for pointing me in the right direction.

Magicbean gravatar imageMagicbean ( 2022-08-30 15:22:54 +0000 )edit

You need to create a span port on your switch. (OR whatever it is called by your gear in use.)

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2022-08-31 05:59:47 +0000 )edit

Any broadcast type traffic should still be visible.

ajaznawaz gravatar imageajaznawaz ( 2022-09-01 08:46:20 +0000 )edit

