Capturing 3G wireless modem traffic.
How to capture outgoing IP traffic on 3G USB Modem? I'm getting incoming IP traffic, but outgoing is limited to traffic from 'host' to '1.2.3' which is usb device. All outgoing traffic is made on protocol USB/AT or 0x007d.
That sounds as if the USB dissector could not handle the outgoing data properly, and thus the highest dissected layer remains USB - the addresses shown in packet list are normally those of the highest transport layer found. Try to start capturing before inserting the modem so that the enumeration phase is captured as well. If that doesn't help, please publish that capture (i.e. the one which includes modem enumeration) so that we could have a look at what's going on. Capture files cannot be directly uploaded here - use Cloudshark or any plain file sharing service, and edit your Question with a login-free link to it.
Here's the capture https://expirebox.com/download/c7376b...
Now I am a bit confused. In the original Question, you wrote
but in this capture even incoming IP traffic is not available, only a bunch of "ppp malformed" packets, not all of which are even candidates for IP traffic as they are still part of the ppp negotiation phase (e.g. packets 619-622). What most, if not all, of them have in common is that the last octet (which should be part of a 16-bit FCS like it is for those non-malformed PPP packets in the capture) is 0x7e, and the length decoded from their contents differs by orders of magnitude from the actually captured length.
So the first question is - if you open this capture file yourself, can you see the "incoming IP traffic" as you stated in the Question? If so, what Wireshark version do you use?
What I forgot to ...(more)
I posted the capture that occured before any incoming IP traffic happened. Some USB or USB/AT packets contain info about Microsoft domain that 'host' is trying to reach. This capture formerly included a lot of sensitive data including IMSI and filtering it all away took me a lot of time. What is the main issue that causes the outgoing IP traffic not to show up? PS: USBPcapCMD capture didn't show any outgoing IP traffic.
How do you expect anyone to answer that question if they haven't seen a packet like that?
One possibility is that USBPcap has not saved the captured URB properly. Another possibility is that the Wireshark dissector was unable to dissect it for some other reason (maybe an unexpected value of some bit somewhere in the preceding packets).
If the information you don't want to publish is available in plaintext in those packets, you can filter them out using
!(frame contains "first-string-you-don't-want-to-publish") and !(frame contains "another-string-you-don't-want-to-publish")
and then goFile->Export Specified Packets->Displayed
to save the "harmless" packets into a new capture file and post that new capture, but if the Microsoft domain name is available somewhere in the undissected outgoing PPP, there is no other way than configure the machine before capturing ...(more)I managed to get another modem which worked fine with Wireshark. Thank you for your time and effort Sindy. Since I'm able to collect incoming and outgoing IP traffic I realised how often Windows communicates with Microsoft servers. I found lists of IPs and domains that windows reaches for telemetry here and here. As I'm looking for something else, I'd like to filter these out from my capture. Is there an easy way to add all of these IPs/domains to filters?