Ask Your Question
0

How to avoid traffic generated by the capturing laptop?

asked 2023-07-20 18:12:06 +0000

lacv2k gravatar image

Dear friends

This is the scenario: There is a wireless ethernet connection between a modbus client and a server. There is an administrable L2 switch connecting them. I require to capture and analyze the traffic between both equipments using a laptop with Wireshark installed and a physical ethernet connection to the administrable switch.

The normal procedure is configurate a mirror port in the L2 switch, mirroring the traffic of the connection port to the client (or server), and connecting to the this mirror port.

After the capture is done, the packet analysis shows the traffic generated between client and server as expected, but also it show traffic generated by the connection of the laptop to the switch (shows the MAC / IP of the laptop). Also I can detect that some of the packets generated by the laptop goes through the wireless connection.

Probably you would advice to use a filter to avoid capturing the traffic generated by the laptop, applied after the capture, which solves the analysis problem, but in this particular case, it is required to avoid the traffic generated by the laptop, during the capture, because the wireless link is bandwidth limited (is an industrial 400 MHz radiolink of 170 kbps), so is very sensitive for any additional traffic.

So, in this scenario my question is what would be the correct way (equipment, connection, configuration) for an "strictly hearing" capturing procedure, avoiding any traffic generated by the connection of the capturing laptop. Is it possible in first way?

Thank you in advance for your help!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-07-20 20:47:40 +0000

Jaap gravatar image

Assuming you work on a Windows laptop (you didn't specify) the trick is to go into the adapter properties, or whatever it's called, and disable all services, protocols etc attached to that interface. This way it becomes idle, i.e. won't send traffic.

edit flag offensive delete link more

Comments

It may break things you may rely on as a side effect. And make you take notes of what you removed if you want it to be restored later.

hugo.vanderkooij gravatar imagehugo.vanderkooij ( 2023-07-21 07:10:35 +0000 )edit

Don't remove things just uncheck the bindings, see @Jasper series on the Network Capture Playbook, Part 3, in the section "Passiveness".

grahamb gravatar imagegrahamb ( 2023-07-21 09:18:24 +0000 )edit

Thank you for your answer and further clarifications, friends. I do use Windows, so your answer applies! I understand the procedure. Excellent precision by grahamb, I will follow the indications and posted if there are further issues. Thanks a lot!

lacv2k gravatar imagelacv2k ( 2023-07-21 17:55:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-07-20 18:12:06 +0000

Seen: 810 times

Last updated: Jul 20 '23