This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Not Seeing the EAPOL return traffic from switch

0

I'm capturing the initial EAPOL traffic between the supplicant and the switch but the return EAP traffic are not reported by Wireshark. The workstation port is SPAN to send traffic to a laptop with Wireshark 1.12.6. The monitor session is set for both direction. I would expect to see the return traffic for the request and Success but not seeing it Wireshark. The destination is shown as "Nearest: with MAC of 01:80:c2:00:00:03 which shown as static CPU. Any ideas?

Client---------------->Nearest # Start Client---------------->Nearest # Response,Idendity Client---------------->Nearest # Client Hello Client---------------->Nearest # Response, TLS EAP (EAP-TLS) Client---------------->Nearest # Certificate, Client Key Exchange, Certificate Verify, Change Cipher, Encrypted Handshake Client---------------->Switch # Response, TLS EAP (EAP-TLS)

asked 01 Jul '15, 13:14

ub40's gravatar image

ub40
1111
accept rate: 0%

  1. Did you try to capture packets at the supplicant or server?
  2. Are you seeing the complete security exchange at one endpoint (i.e., supplicant and/or server)?
  3. Did you try using another port on the switch as a mirror port?
(02 Jul '15, 07:42) Amato_C

One Answer:

0

My guess would be that the SPAN isn't providing the authenticator packets for the capture port. Try to setup the capture differently.

answered 02 Jul '15, 04:37

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%