my traffic not captured

Discussion:

David Sheats, Friendly Computer Service

2014-03-19 14:08:44 UTC

Hi folks,

I am writing a program that makes use of Windows Sockets, and I thought I might use Wireshark to watch the traffic go back and forth across my network. However, the Shark doesn't seem to capture the packets generated by my program.
I send data from the client computer to the server computer using a regular TCP connection onto port 2022 of the server. I know the server is receiving the information, because it is able to print it on the screen.
Wireshark seems to be capturing other data just fine, such as HTTP traffic on port 80, and VNC traffic (I use that to fiddle with my server so I don't have to walk back and forth between my computers). Switching promiscuous mode on or off doesn't seem to help. Also, it doesn't seem to make a difference whether I'm running Wireshark on the client or the server side of the connection.

I am wondering if maybe it's the API call I'm using. I am using send() and recv() found in winsock2.h. Does this API call somehow bypass the driver that Shark uses to capture traffic? I'm a bit stymied, and would like to see my bytes flowing :-P

-David

Anne Blankert

2014-03-19 14:52:25 UTC

Permalink

Post by David Sheats, Friendly Computer Service
Hi folks,
I am writing a program that makes use of Windows Sockets, and I
thought I might use Wireshark to watch the traffic go back and forth
across my network. However, the Shark doesn't seem to capture the
packets generated by my program.
I send data from the client computer to the server computer using
a regular TCP connection onto port 2022 of the server. I know the
server is receiving the information, because it is able to print it on
the screen.
Wireshark seems to be capturing other data just fine, such as
HTTP traffic on port 80, and VNC traffic (I use that to fiddle with my
server so I don't have to walk back and forth between my computers).
Switching promiscuous mode on or off doesn't seem to help. Also, it
doesn't seem to make a difference whether I'm running Wireshark on the
client or the server side of the connection.
I am wondering if maybe it's the API call I'm using. I am using
send() and recv() found in winsock2.h. Does this API call somehow
bypass the driver that Shark uses to capture traffic? I'm a bit
stymied, and would like to see my bytes flowing :-P

It would surprise me if your software would be able to bypass Wireshark.
Are you sure you are capturing on the same interface as your client or
server is listening on?

If client and server on the same host and you are using 'localhost', you
should capture the loopback interface.
If client and server are on different machines, you should capture on
the same interface that client (or server) is using. Maybe you have
multiple network cards (wifi + ethernet?) and traffice is flowing on the
other card?
If wireshark is on a seperate machine attached to the network between
client and server, you may not see the traffic, because, by default,
network switches will only send out packets on the client and server
connections. You need to configure traffic mirroring from the client and
server connections to the wireshark connection (only possible on managed
switches).

Does any of the above apply to your case?

Anne

Guy Harris

2014-03-19 17:43:20 UTC

Permalink

If client and server on the same host and you are using 'localhost', you should capture the loopback interface.

If you're running Wireshark on Windows (which he's probably doing, given the "winsock2.h" in his comment), you might not *have* a loopback interface, or it might not do what somebody used to UN*Xes thinks it does:

http://wiki.wireshark.org/CaptureSetup/Loopback

However, I infer from

Also, it doesn't seem to make a difference whether I'm running Wireshark on the client or the server side of the connection.

that the client and server are separate machines.

If wireshark is on a seperate machine attached to the network between client and server,
you may not see the traffic, because, by default, network switches will only send out packets on the client and server connections. You need to configure traffic mirroring from the client and server connections to the wireshark connection (only possible on managed switches).

see

http://wiki.wireshark.org/CaptureSetup/Ethernet

for information on that and, if it's going over a Wi-Fi network, see

http://wiki.wireshark.org/CaptureSetup/WLAN

(and note that it's not very encouraging about trying to do third-party Wi-Fi captures on Windows).
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Guy Harris

2014-03-19 17:44:05 UTC

Permalink

Post by David Sheats, Friendly Computer Service
I am writing a program that makes use of Windows Sockets, and I thought I might use Wireshark to watch the traffic go back and forth across my network. However, the Shark doesn't seem to capture the packets generated by my program.
I send data from the client computer to the server computer using a regular TCP connection onto port 2022 of the server. I know the server is receiving the information, because it is able to print it on the screen.
Wireshark seems to be capturing other data just fine, such as HTTP traffic on port 80, and VNC traffic (I use that to fiddle with my server so I don't have to walk back and forth between my computers).

Is it capturing other traffic *between the client and server in question*?

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

David Sheats, Friendly Computer Service

2014-03-19 18:50:45 UTC

Permalink

Ohhh, I see what I did. It was a network byte-ordering problem. I wanted
it to connect to port 2022 (07e6 hex), but it was switching the bytes around
such that I was actually connecting to port 58887 (e607 hex). My eye had
been skipping right past the captured packets because I assumed they were
for some other protocol!

Thanks for you the help, Guy and Anne.

(I am relatively new to using email lists such as this- will Anne also get
this message, or do I have to reply specifically to her email in order for
her to see it?)

-David

----- Original Message -----
From: "Guy Harris" <guy-FrUbXkNCsVf2fBVCVOL8/***@public.gmane.org>
To: "Community support list for Wireshark" <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Sent: Wednesday, March 19, 2014 1:44 PM
Subject: Re: [Wireshark-users] my traffic not captured

On Mar 19, 2014, at 7:08 AM, "David Sheats, Friendly Computer Service"

Post by David Sheats, Friendly Computer Service
I am writing a program that makes use of Windows Sockets, and I
thought I might use Wireshark to watch the traffic go back and forth
across my network. However, the Shark doesn't seem to capture the
packets generated by my program.
I send data from the client computer to the server computer using a
regular TCP connection onto port 2022 of the server. I know the server
is receiving the information, because it is able to print it on the
screen.
Wireshark seems to be capturing other data just fine, such as HTTP
traffic on port 80, and VNC traffic (I use that to fiddle with my server
so I don't have to walk back and forth between my computers).

Is it capturing other traffic *between the client and server in question*?
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Continue reading on narkive:

Search results for 'my traffic not captured' (Questions and Answers)

replies

What can I do to get alot more traffic on my website I own and operate? www.fixacar.net?

started 2008-03-15 15:06:26 UTC

search engine optimization

replies

why do i look at grisly videos of death so much?

started 2012-05-23 02:17:29 UTC

psychology

replies

My picture was taken while i was making a left turn, how much would this ticket be?