-1

[I had to repost this from the ask.wireshark.org as my questions do not come up there, still not sure why].

Hi All,

I'll try my luck here.

I'm trying to solve a similar problem to the one described in "how to work around unicast messages" question, albeit in my case I'm not seeing an ARP reply (unicast) in Wireshark. I need to say that I have read everything that was suggested in that thread (wireshark help and a set of other documents on Ethernet Capturing/Hubs vs Switches vs Taps, etc.) and still puzzled, so basically would love to hear any ideas thrown at me by experts.

So: it is Ethernet; 3 devices: 1. a custom device (running embedded linux) 2. a PC (WinXP) where wireshark is running (promiscuous mode, capture all) 3. a PC where a server application is running to which the custom device communicates. all 3 connected to [what is believed to be] a simple hub "CentreCom MR415T repeater" 10BASE-T only (not dual speed). I'm seeing all the traffic I expect to see in Wireshark but NO ARP replies (unless they are sent to the Wireshark PC). For the problem I'm trying to nail it is crucial to tell whether there are NO replies to ARP requests sent by custom device (1) or it (the device) is unable to correctly handle these replies (which is quite possible).

All other symptoms point to the latter but I need to actually SEE and be able to SHOW this as a proof.

Thanks in advance to anyone who replies, Alexei

tum_
  • 632
  • 1
  • 7
  • 16
  • Under such circumstances, I'd try to change the setup to a modern switch with port mirroring capabilities or an Ethernet TAP, as opposed to an an old hub. Did you/can you try that? Note: I'm into embedding so I got the "device is unable to correctly handle these replies which is quite possible". Though, I'd first try another setup (and BTW in my experience, handmade hack-a-day TAP or not reliable for this). – jbm Mar 09 '16 at 15:59
  • Yes they do, and rightfully. For ex some misbehaving "askers" question your answer in comment actually asking another question, and then another one etc. "comments" are supposed to be used for clarification/context in such a way they should be removed anytime. (I removed a couple of mine above). Good investment, good luck. – jbm Mar 10 '16 at 16:14

1 Answers1

0

UPD. 2016/06/09: In advanced settings of Panda Firewall found a tick box "SmartARP" - unticked and this solved the issue.

The ultimate reason of not seeing ARP replies in Wireshark turned out to be: Panda End Point Protection Plus Firewall. Not the most flexible piece of software as far as I can see, creating a User rule for Wireshark to allow both incoming/outcoming does not help in the slightest, but disabling the firewall - does.

tum_
  • 632
  • 1
  • 7
  • 16