Ask Your Question
0

UDP Packets: visibility depends on IP address

asked 2024-05-11 00:44:49 +0000

biofloat gravatar image

I have a device that emits SYSLOG messages over a UDP address and port that I specify. If I specify an IP address inside my local router subnet, i.e., 192.168.50.xx (with a PC or Mac also inside, i.e., at another 192.168.50.yy), I can see the packets on WireShark.

If I change the device to specify an IP address outside my local router subnet (e.g., 52.2.xxx.yyy), they don't show up on Wireshark. However, I know they reach their destination (a SaaS logging service).

Note that I do see UDP packets from other devices in my home with Wireshark.

Note that the computers running Wireshare (PC, Mac) and device are all hardwired on same ethernet switch, which is connected to my home router through another switch. Firewall is off on both computers. All protocols are enabled in Wireshark. No other anti-virus software.

edit retag flag offensive close merge delete

Comments

Can you provide more information about the topology. I would expect the syslog device will send the packet to the gateway, which will use PAT to convert the source IP address to a public IP. Performing a traceroute from the syslog device to the public IP address is an alternative method for troubleshooting. It will indicate if the packet needs to be routed to the port you are using for packet captures.

BigFatCat gravatar imageBigFatCat ( 2024-05-11 08:20:18 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-05-12 14:50:02 +0000

SYN-bit gravatar image

Normally you would not be able to see packets on the Wireshark PC when they are sent between two other systems connected to the same switch (see: https://wiki.wireshark.org/CaptureSet...). The fact that you do see the syslog packets makes be believe the syslog-receiver does not generate (a lot of) packets, so the switch forgets on which port its mac-address is seen, this means syslog packets will be flooded to all ports until the syslog system needs to send a packet itself (either when it has something to share with the world, or when it needs to respond to ARP packets).

As the syslog packets to the SaaS service are sent over the default gateway, they are not seen on other ports as the gateway most likely continuously sents out packets, which means the switches know exactly which port to sent the traffic to and no flooding takes place.

The proper way to capture packets in a switched network would be to configure port mirroring to make sure the packets of interest are being sent to your Wireshark PC. See the mentioned link above.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2024-05-11 00:44:49 +0000

Seen: 838 times

Last updated: May 12