I have a mystery in which it appears Wireshark is seeing some packets from a device but not others, which I didn't think was possible. The device (actually plural since I've now seen it on two identical devices) is an Ingenico credit card terminal. We were working with the vendor's customer support to switch the device(s) from using a phone line to using the network. I used nmap to discover the device IPv4 and MAC addresses & confirm it was connected to the network. The phone line to each device was disconnected. Wireshark and nmap both identified the MAC address prefixes as Ingenico. Initially I filtered the Wireshark display by the device's IP address (ip.addr==X.X.X.X, IPv4 only according to the server address entered into the device for the download) but later switched to filtering by MAC address (eth.addr==XX:XX:XX:XX:XX:XX) when I didn't see all the traffic. What's puzzling me is that I could ping the device from a Windows 10 system on the same network switch and Wireshark showed the request and response packets. However, I didn't see any packets from connections initiated by the device. The switch to using the network involved downloading a configuration file over the network and running a test transaction. We also initiated pings through the device admin interface to 8.8.8.8. Wireshark didn't show any packets for downloading the new configuration file, the test transaction or the pings to the Google address initiated from the device. Afterwards it showed more ping traffic to the device from the computer on the same network switch. So I could see two blocks of ping packets from before and after the download, test transaction and device-generated pings, but no packets for that other activity. I also later saw an ARP packet from the device looking for the router. I checked the DHCP leases and see only the two IP address/Ingenico MAC addresses I know about. I hate to think I'm about to smack my head, but what explanation might there be for not being able to see the other traffic?
