following a conversation which begins with LLMNR
I have a printer to which I am connecting wirelessly, and I need to capturedata being sent to it. If I ping the printer, I get a bunch of packets showing that traffic, but if I send data, in this case by using a utility to send a hex file, I don't see any traffic at all. The printer does give me the page I expect, so I know the data transfer is working.
Again, in this case, both the computer and printer are connected to a router wirelessly (a D-Link DIR-867 retail device if that is useful to know), and the computer connects at 5GHz, whereas the printer connects at 2.5 GHz, but given that both pinging and printing work, it doesn't seem that the wireless part makes a difference. Both devices are on the same subnet.
Enlighten me. TIA
edit: I hae come across mention that there exists an address cache similar to, but separate from, the DNS cache. I'm wondering if there also exists a tool to display the contents of that cache.
here's a theory: if Wireshark is not looking at the LLMNR cache, then the conversation "disappears". Is that possible ? Does this require a plugin which picks up the address resolved without DNS so that Wireshark can follow it ? That would make LLMNR incredibly dangerous, because it would place any such conversation into "stealth" mode.
Is there a different scanner with the ability to follow such a conversation built in ?
then the conversation "disappears"
I could only see something like this happening if you had specific filters that required name resolution and this resolution was failing.
Its common to use IP addresses and/or MAC addresses to isolate traffic so that would be recommended here. Your description is not that clear; you have a PC and a printer - I assume you are capturing from this PC on it's wireless interface, NOT in monitor mode, and you can observe pings to the printer. Are we also to assume that this same PC is using the utility to send a file to the printer (in contrast to another device sending the data)? If so, the traffic has to be there and the easiest way I can think of is to filter by printer IP. Are you using google print or some other service? That could have the effect of not sending ...(more)
computer A is sending data directly to the printer, and is connected to the subnet through the 2.5 GH wireless band. It can ping both the printer and the gateway for that subnet.
computer B is running Wireshark 4.2.4 and is on the same subnet, but connecting through the 5 GHz wireless band. It can also ping both the printer and the gateway.
Computers A and B can ping each other.
The printer is also connecting through the 2.5 GHz band, and has an IP in the same subnet.
The data being sent from computer A is being sent by a command line utility which takes the target IP address as a parameter, so it seems to me that no outside print service is involved.
My understanding of LLMNR, which could easily be wrong, is that a request is only sent out if a DNS request fails.