Ask Your Question

following a conversation which begins with LLMNR

asked 2024-05-20 13:45:01 +0000

roadlesstraveled gravatar image

updated 2024-05-21 04:05:09 +0000

I have a printer to which I am connecting wirelessly, and I need to capturedata being sent to it. If I ping the printer, I get a bunch of packets showing that traffic, but if I send data, in this case by using a utility to send a hex file, I don't see any traffic at all. The printer does give me the page I expect, so I know the data transfer is working.

Again, in this case, both the computer and printer are connected to a router wirelessly (a D-Link DIR-867 retail device if that is useful to know), and the computer connects at 5GHz, whereas the printer connects at 2.5 GHz, but given that both pinging and printing work, it doesn't seem that the wireless part makes a difference. Both devices are on the same subnet.

Enlighten me. TIA

edit: I hae come across mention that there exists an address cache similar to, but separate from, the DNS cache. I'm wondering if there also exists a tool to display the contents of that cache.

here's a theory: if Wireshark is not looking at the LLMNR cache, then the conversation "disappears". Is that possible ? Does this require a plugin which picks up the address resolved without DNS so that Wireshark can follow it ? That would make LLMNR incredibly dangerous, because it would place any such conversation into "stealth" mode.

Is there a different scanner with the ability to follow such a conversation built in ?

edit retag flag offensive close merge delete


then the conversation "disappears"

I could only see something like this happening if you had specific filters that required name resolution and this resolution was failing.

Its common to use IP addresses and/or MAC addresses to isolate traffic so that would be recommended here. Your description is not that clear; you have a PC and a printer - I assume you are capturing from this PC on it's wireless interface, NOT in monitor mode, and you can observe pings to the printer. Are we also to assume that this same PC is using the utility to send a file to the printer (in contrast to another device sending the data)? If so, the traffic has to be there and the easiest way I can think of is to filter by printer IP. Are you using google print or some other service? That could have the effect of not sending ...(more)

Bob Jones gravatar imageBob Jones ( 2024-05-21 11:19:44 +0000 )edit

computer A is sending data directly to the printer, and is connected to the subnet through the 2.5 GH wireless band. It can ping both the printer and the gateway for that subnet.

computer B is running Wireshark 4.2.4 and is on the same subnet, but connecting through the 5 GHz wireless band. It can also ping both the printer and the gateway.

Computers A and B can ping each other.

The printer is also connecting through the 2.5 GHz band, and has an IP in the same subnet.

The data being sent from computer A is being sent by a command line utility which takes the target IP address as a parameter, so it seems to me that no outside print service is involved.

My understanding of LLMNR, which could easily be wrong, is that a request is only sent out if a DNS request fails.

roadlesstraveled gravatar imageroadlesstraveled ( 2024-05-21 15:48:35 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2024-05-21 17:05:12 +0000

Bob Jones gravatar image

With the updated configuration information, this is a common issue of captue setup. The source of the data to the printer is most likely using unicast communications to send data to the printer; another host, even when on the same subnet, will not usually receive that unicast data unless actions are taken. See the link on capture setup for some ideas on how you might go about this.

The wireless infrastructure will not forward unicast frames destined for other hosts directly to a third party; even if that third party can observe the frames in the air, which it might be able to, it will not pass them up the network stack without some action - might need configuration, setup, possible new hardware, etc.

Best thing to do is decide what the end goal is - some ideas - do you want to verify the traffic sent to the printer? If so, move Wireshark to the sending host directly instead of just some other host on the network.

Do you want to verify what the printer is receiving after network traversal? Then move the printer off wireless to wired, and install a network tap right at the printer. If it is a wireless printer only, consider installing a wireless capture system that supports monitor mode and has some decryption capability.

Other options of varying complexity are available depending on the actual problem to solve.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2024-05-20 13:45:01 +0000

Seen: 1,761 times

Last updated: May 21

Related questions