This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Sniffing and packet capture for different scenarios

0

Hello, For the image attached which shows a set up of network, I have the following questions. 1.In the scenario A, is there any device required after the ethernet converter for wireshark to capture the packets? 2. Does it sniffs and capture the packets in this scenario?

Thank you.

alt text

asked 30 Aug '16, 09:05

stadkama's gravatar image

stadkama
11226
accept rate: 0%

edited 30 Aug '16, 09:07


2 Answers:

0

If you are sniffing on two cables you would need (2) capture NICs on the PC, or (2) separate capture PCs, or you would need a TAP that aggregates the two cables into one capture port that you then use the PC to capture off of. For the first two options, you would use mergecap to get both conversations into one PCAP file.

I am not familiar with what the converter is accomplishing, so if that aggregates somehow then that may also be a solution. But from the diagram I am assuming that there are two cables leaving the converter.

answered 30 Aug '16, 09:25

BruteForce's gravatar image

BruteForce
1203
accept rate: 9%

2 wire ethernet represents simultaneous transmit and receive (i.e., full-duplex) operations on a single-pair cable.

100 base Tx cable after the converter towards PC represents cat5e cable where one pair for transmit and one for receive to achieve the same data rate. Converter is just for physical layer conversion. Please let me know is there any TAP required after the converter.

(31 Aug '16, 01:55) stadkama

0

Your description is unclear and even confusing: "two-wire" usually means "single-pair", which would mean that both directions of the connection (μC A <-> μC B) use the same pair, while the description in the bubble says "2 cable ethernet" which could mean a separate cable (possibly with several pairs) per direction.

But as a 2-wire "Ethernet" is a common solution where both directions use the same pair of wires, I'll deal with that part: no, the way you have drawn it it will not work. Depending on the way how the 2-wire "Ethernet" solution is implemented, the 2-wire connection may carry:

  • two modulated signals in different bands (if you have to set a role on each of the converters)

  • a superposition of both directions' baseband (not modulated) signals, if both ends use a "hybrid coil" to separate what they transmit themselves from what they receive on the pair, to get only what the other party transmits.

  • some kind of half-duplex protocol

In any of the first two cases, you have to use the following architecture (==== means a pair of wires) for sniffing:

                -------------                __    -------------
               |          Tx |==============|  |==| Rx          |
μC A ==========| Converter A |   __          ||   | Converter B |========== μC B
               |          Rx |==|  |=========||===| Tx          |
                -------------    ||          ||    -------------
                               --||----------||--
                              |  Rx          Rx  |
                              | eth0        eth1 |
                              |    sniffing PC   |
                               ------------------

I.e. you have to create a section of standard 4-wire Ethernet between the two μcontrollers using two 2W/4W converters connected back-to-back, and use a tap on it to feed two ports on the sniffing PC, each sniffing its own direction. Instead, you can also use a switch capable of monitoring, connect it between the two converters, and monitor Tx direction of each of the ports separately (i.e. copy it to another sniffing port of your PC). If you don't care much about timing and the aggregate traffic between the two μcontrollers is lower than the bandwidth on the sniffing port (or if you can use a 1 Gbit/s port to connect the PC while the 2wire Ethernet is just 100 Mbit/s in each direction), you can monitor Tx and Rx of just one of the ports on a single sniffing port of the PC, and you'll be fine as well.

answered 31 Aug '16, 01:07

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 31 Aug '16, 01:11

The representation in the figure is described below: 2 wire ethernet represents simultaneous transmit and receive (i.e., full-duplex) operations on a single-pair cable.

100 base Tx cable after the converter towards PC represents cat5e cable where one pair for transmit and one for receive to achieve the same data rate. Converter is just for physical layer conversion.

(31 Aug '16, 01:58) stadkama

In that case, all what I wrote above is true. The Tx and Rx on the 2-wire are arranged in one of the first two ways and so you need to insert two back to back connected converters into the 2-wire line to be able to sniff both directions properly. If frequency separation is used, a single converter connected in parallel can only read one direction; if hybrids are used, a mix of both directions is present on the wire so if both μcontrollers transmit at the same time, the converter connected in parallel cannot translate the superposition of the two signals into two packets which do not overlap in time.

(31 Aug '16, 02:13) sindy