Wireshark not capturing MQTT data over Ethernet with port mirroring
I have a setup where I am using Mosquitto server and Node-RED on a single machine, which is configured with the machine's IP address. The connection is via Ethernet, and I have a switch and two machines connected to each other. The machines can ping each other without any issues.
To monitor the MQTT traffic, I used the port mirroring feature of my switch, and I mirrored the machine running Node-RED and Mosquitto (Port 1) to another machine where I have Wireshark (Port 8)installed.
However, when I start capturing traffic on Wireshark using the Ethernet interface, I don't see any MQTT traffic (no packets using port 1883). Here's a summary of my setup: - Mosquitto server and Node-RED on the same machine. - Machines connected through Ethernet, using a switch. - Port mirroring set up to mirror traffic to a machine running Wireshark. - Machines can successfully ping each other.
I expected to see MQTT data on Wireshark, but it's not showing up. What could be the reason for Wireshark not capturing the MQTT packets? Am I missing any configuration or step in Wireshark or port mirroring?
Things I've tried: - Checked the port mirroring configuration on the switch. - Verified that the machines are on the same network and can communicate (ping works fine). - Filtered for MQTT packets in Wireshark (mqtt or tcp.port == 1883).
Any insights or suggestions would be greatly appreciated!
This is a continuation of Why is my network traffic visible on loopback interface but not Ethernet in Wireshark capture? ?
no, this is not a continuation
Can you see the ping (icmp) traffic in the packet capture?
Yes I can see protocols such as ICMP(only when pinging from M1 to M2), ARP, STP.
I assume either M1 or M2 is the Moquitto server?
Are you using any capture filters? Is there vlan tagging involved? Are you using encrypted MQTT (port 8883)? Are you using a custom port for MQTT? Do you see any other traffic between your test machine and the MQTT machine in the packet capture on the machine on port 8?
If the ping was done from the wireshark system (M2), then it was not in the packet capture because of the port mirror, but because of it being sent from the capturing machine. Can you attach a system (M3) to port 2 and do a ping from M3 to M1 and see if it is visible in the packet capture on M2? Then at least we know if it is a general port mirror issue or a specific MQTT issue...
I tried pinging M2(wireshark machine) from M1(machine with node-red and mosquitto) and i can see ICMP traffic in wireshark
As you are capturing on M2, the ping from or to M2 will always be visible, whether or not the span/mirror port is working correctly. The interesting part is if a ping was done from M1 to another machine (M3) is visible on M2, as that would prove the span/mirror is working correctly.
Which system is sending receiving MQTT traffic to M1? And on which port is it connected to the switch?
I have a 8port switch. M1(on which MQTT is being generated) is connected on port 1 and m2(having wireshark) is connected to port8. Port 1 data is mirrored to port 8. I can see Icmp traffic in wireshark(M2) while pinging M3 from M1.
I'm a bit confused, can you confirm both MQTT and Node Red are on the same machine and if so what the OS is on that machine?
Yes, node-red and MQTT broker are on same machine running on windows operating system.