Does Wireshark work on Windows Vista or Windows Server 2008? Capturing packets on UN.Xes. Several parts of the Ethereal web site` (such as the mailing lists, source code repository, and build farm) have gone offline. In order to see the raw Ethernet packets, rather than 'de-VLANized' packets,.
Active1 year, 1 month ago
I am a beginner in Wireshark, and I would like to find some problems with a TCP connection. Basically, I have some sockets timing out, and I would like to find out if the message (packet) being sent has been lost.
Is Wireshark the right tool for this purpose?
Bionix1441Bionix1441
3 Answers
Yes, you can use wireshark (and/or tcpdump) for this.
I would run wireshark on both source and destination hosts, with a capture filter for the traffic you are interested in, and then check if the traffic is actually sent and if the same traffic is received at the other host.
You can also use Iperf. Iperf is a tool to measure the bandwidth and the quality of a network link.One machine configured as Client and the other one as Server.Configuration is as it follows:
Server side: iperf -s
Client side: iperf -c xxx.xxx.xxx.xxx // where xxx.xxx.xxx.xxx is the server's IP address. You can also specify TCP window size.
Gospot BogGospot Bog
'I have an application that spawns processes that communicate with each other through TCP using the loopback interface on the same host. Just standard TCP sockets.'
For TCP connections over loopback, packet loss is exceptionally rare except under massive overload, and depends on the OS. I'd certainly look elsewhere.
Sockets timing out on loopback is much more likely to be a programming error. Details of which depend on exactly what phase of connection the sockets are timing out.
PS. Yes, for two hosts communicating and you suspect packet loss, wireshark/tshark/tcpdump is the right tool; ideally capture on both server and client, then you actually see the lost packet on one but not the other.
PPS. But almost always it's best to make a guess about what kinds of packets are getting lost. 'All those of a certain size?' is especially common. If it's really just random packet loss, some of the lesser-used options of ping at one end and tcpdump/whatever at the other will often do it. Otherwise, netcat can be very useful, and as another noted, iperf.
Not the answer you're looking for? Browse other questions tagged tcpwiresharkpacket-loss or ask your own question.
Active1 year, 11 months ago
I have a device set with a static IP and subnet mask. I do not know the IP or subnet mask. How can I find the devices IP and subnet mask?
It is a piece of hardware, not a PC. It will not take an IP from DHCP. I have also tried directly plugging in a LAN cable from my PC to the device with Wireshark running to see if I could capture any packets from the device when it starts or has an Ethernet cable plugged in to it – but there appears to be nothing.
The device appears to be working as it flashes on the Ethernet ports.
Is there any software to do pingsweeps across IPs and networks?
Restart the device (unplug and plug it back to the power line)
In case the device has a static IP, it should(might) broadcast it's IP on the network, which you should detect with the wireshark.
In case the device has dynamic IP set up, it will ask for an IP adress, in which case connecting it to a router or a computer with DHCP server will resolve the issue.
Note, just today I've seen the sys admin use these steps to find out an unknown IP from the device :)
I recommend netdiscover. You can use it in passive listening mode and detect incoming ARP announcements (using the -p switch) , or just apply some brute force:
Note that this is incredibly fast compared to nmap (maybe I did not tune nmap well enough).
Also that the method suggested in the currently accepted answer (sniffing for ARP announcements using Wireshark) essentially is what the -p mode is doing.
Try this command, it will ping all possible broadcast addresses.
DarekDarek
Assuming that it is plugged into a managed switch, find the switch that it is plugged into, and track it down to the specific port. Log into the switch, and look at the mac-address that is associated with that port. In Cisco land, it would be something along the lines of show mac-address-table | i 5/34 where 5/34 is the port that the device is plugged into.
Once you have the mac address of the device, then you can look at the arp tables on the switch, which should show you an IP. Again, in Cisco, it would be something like sh arp | i FFFF where FFFF is the last 4 characters of the device's mac address.
That will get you as far as the IP address. The you should be able to use a tool like wireshark to watch the traffic, and glean the netmask from the traffic.
KirkKirk
In OSes that don't let you ping the all-ones broadcast address (255.255.255.255), you can usually still ping the 'All Hosts' multicast address:
All IP stacks for two decades have supported multicast, so they should all respond to that, unless they have an overzealous firewall.
This displays the networks neighbour cache. Its a local cache of IP/MAC address resolutions. Useful to identify new devices that have joined a network and duplicate static IPs.
PodTech.ioPodTech.io
I had success on my Linux box using a USB-Ethernet adapter (like this one), and issuing:
Nmap ('Network Mapper') is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).