Ask Your Question
0

Why is my network traffic visible on loopback interface but not Ethernet in Wireshark capture?

asked 2024-09-22 15:01:56 +0000

learner2424 gravatar image

updated 2024-09-22 21:59:59 +0000

Guy Harris gravatar image

I'm working on a project to capture simulated IoT devices' data using Node-RED and a Mosquitto MQTT broker. Here's my setup:

Tools: Node-RED, Mosquitto, Wireshark for packet capturing.
Machine: Windows 11 Home (non-internet zone).
Network: A 3Com model 3CDSG8 switch with no VLAN configuration.
IP Configuration: Everything is configured on my machine's IP, and the IoT device data is working as expected.
Firewall: Disabled on my machine.

The problem I’m facing is:

When I capture traffic on the Ethernet interface using Wireshark, MQTT protocol data is not visible. However, when I capture traffic on the loopback adapter interface, I can see the MQTT data. Since I’ve configured everything to communicate over the machine’s IP (not the loopback address), I would expect to see the MQTT traffic on the Ethernet interface, not just on loopback.

My questions are: Why is MQTT traffic not visible on the Ethernet interface in Wireshark, but visible on the loopback adapter? Is there any configuration I’m missing in my switch (3Com model 3CDSG8) or Node-RED/Mosquitto setup that would affect this? Are there any additional steps to ensure that traffic is routed correctly and captured over Ethernet? Any insights or suggestions would be highly appreciated! Thanks in advance.

edit retag flag offensive close merge delete

Comments

Is it supposed to communicate to the outside world (Ethernet interface) in plain text? Or is it encrypted (using TLS)? In that case, you need to decrypt before the MQTT becomes visible.

An MQTT broker is a server that receives all messages from the clients and then routes the messages to the appropriate destination clients. Do you have client communication over localhost to the broker?

André gravatar imageAndré ( 2024-09-22 15:44:29 +0000 )edit

my broker file:

    listener 1883 <machine-ip>
    #bind_interface Ethernet
    allow_anonymous true
    persistence true
    persistence_location C:/Program Files/mosquitto/data/
    log_dest file C:/Program Files/mosquitto/logs/broker1.log
    log_type all
    log_timestamp true

and connected this broker to node-red and checked log data is being published on the time interval set

learner2424 gravatar imagelearner2424 ( 2024-09-22 15:49:02 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2024-09-22 17:31:42 +0000

Chuckc gravatar image

Wireshark wiki: Loopback capture setup

If you are trying to capture traffic from a machine to itself, that traffic will not be sent over a real network interface, even if it's being sent to an address on one of the machine's network adapters.

Once the traffic gets down to layer 3 (OSI layers) there is no need to pass it to layer 2 or below.
The network stack uses the loopback to pass it back up the stack to the receiver.

You can test by pinging your machine IP address from a command window.
Try to capture icmp on the machine interface with the IP address then try on the loopback interface.

edit flag offensive delete link more

Comments

okay,so should I use another machine on the same network to check whether the MQTT server is communicating over Ethernet or not?

learner2424 gravatar imagelearner2424 ( 2024-09-22 17:36:16 +0000 )edit

3Com® OfficeConnect® Managed Gigabit Switch User Guide 3CDSG8 supports port mirroring.
If you have the hardware available, see Capture using a monitor mode of the switch.
Back down from the config based on the hardware you have available. It is recommended to NOT capture on one of the machines doing the communication. But not always possible in the real world.

Chuckc gravatar imageChuckc ( 2024-09-22 18:23:26 +0000 )edit

as per my understanding from this conversation, I should use different machines for mqtt broker and wireshark connected to same network and using port mirror I should divert data to wireshark machine to capture mqtt data over ethernet? am i right? or is there any correction needed?

learner2424 gravatar imagelearner2424 ( 2024-09-22 18:37:17 +0000 )edit

capture simulated IoT devices' data
How do you create the MQTT node traffic?

Chuckc gravatar imageChuckc ( 2024-09-22 18:47:04 +0000 )edit

I am a student and new to this filed, i am confused what to do. tell me if you have any solution. i want to capture simulated iot devices data using ethernet interface thanks in advance.

learner2424 gravatar imagelearner2424 ( 2024-09-22 18:53:13 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-09-22 15:01:56 +0000

Seen: 73 times

Last updated: 19 hours ago

Related questions

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

How to capture ethernet traffic?

MQTT over Websocket?

Cannot access Ethernet interfaces with Wireshark Portable unless I install full WinPCap?

How to see the FCS in Ethernet frames?

Why do I see Ethernet frames that exceed the MTU + Ethernet header size?

How to capture packets using Wireshark in a switched ethernet network?

icmp fragmentation

mqtt ssl decrypt

use multiple ports for a protocol (I need multiple ports for mqtt)