Wireshark · Ethereal-users: Re: [Ethereal-users] Only Seeing Outgoing Packets

[Guy Harris <gharris@xxxxxxxxx>]

Simon Bradley wrote:
> Guys,
>
> I think I may be able to answer my own question. I've just found this
> sentence in the hub's documentation:
>
> "Every port automatically operates at the proper speed, while the built-in
> self-learning 10 to 100 Mbps bridge automatically discovers where each user
> is and filters or forwards traffic accordingly."
Yes, that's how "dual-speed" hubs work.  If a dual-speed hub isn't a 
real switch, it is, I think, something like a 10Mb/s hub and a 100Mb/s 
hub in the same box, with the hardware automatically connecting ports to 
the 10Mb/s portion or the 100Mb/s portion depending on the speed of the 
port.
For a non-switched hub of this sort, a 10Mb/s port will see all 10Mb/s 
traffic and a 100Mb/s port will see all 100Mb/s traffic.  I don't know 
whether the two internal hubs are unconnected (so that the 10Mb/s ports 
see *no* 100Mb/s traffic and the 100Mb/s ports see *no* 10Mb/s traffic) 
or connected by an internal switch (so that broadcast and multicast 
traffic goes to all ports regardless of speed, but unicast traffic goes 
only to the port that appears to have an adapter with the destination 
address of the packet, if any) - the description seems to imply the latter.
> So, the hub is in fact more clever than I thought. I don't know if it's a
> true switch (I'm not 100% sure of the definitions here), but it seems to be
> more than just a hub.
A true switch would direct unicast traffic only to the proper port in 
*all* cases, even if the source and destination (unless it didn't yet 
know what the proper port was, as it hadn't seen any unicast traffic 
*from* that port).
However, at least as you describe your network, I'd expect all incoming 
traffic from the Internet to go through the hub and, if the laptop 
monitoring the traffic has its Ethernet adapter running at the same 
speed as the cable modem (probably 10Mb/s), I'd expect it to see *all* 
traffic from the Internet - not *none* of the traffic, as you're reporting.
If the laptop has its Ethernet adapter running at a speed *other* than 
the one the cable modem's running at, I wouldn't expect it to see 
traffic from the Internet.
*However*, if the wireless router is running at the same Ethernet speed 
as the cable modem, I wouldn't expect the laptop to see any traffic from 
it, either - i.e., I wouldn't expect it to see any traffic going *to* 
the Internet, either!
You're seeing that traffic, which suggests that the wireless router is 
running at a different speed (e.g., 100Mb/s).  If there's an internal 
switch in the hub, connecting the set of 10Mb/s ports and 100Mb/s ports, 
it'll forward multicast and broadcast traffic from any port to all 
ports, and will forward unicast traffic from the wireless router to the 
cable modem port, even though they're not running at the same speed, but 
*not* to any other 10Mb/s ports.
If the laptop's Ethernet adapter is configured to run at 100Mb/s, and it 
can be configured to run at 10Mb/s (there might be something in the 
properties for the adapter to do that), try doing that.
If you start seeing traffic *from* the Internet, but *stop* seeing 
traffic *to* the Internet, you probably have the cable modem running at 
10Mb/s, the wireless router running at 100Mb/s, and a dual-speed hub 
with a switch connecting the 10Mb/s and 100Mb/s port sets.
Unfortunately, that means the hub won't help you monitor both directions 
of traffic.  If the problem is that the wireless router's running the 
port plugged into the hub at 100Mb/s, you'll somehow need to lower that 
to 10Mb/s.  I'm assuming the wireless router port plugged into the hub 
is the non-switched port (the online data sheet speaks of one 10/100 
port and four switched 10/100 ports, with the stand-alone port 
presumably being the one you plug into your broadband modem and the 
other ports being the ones you plug wired client machines into).
I don't see anything in the online manual for the WRT54GS to let you 
force the port to a given speed, but perhaps it's buried deeper in the 
UI than the manual shows.
If the other hub you mention is 10Mb/s-only, using *that* hub might 
force the WRT54GS to run at 10Mb/s, which should let you see all traffic 
(that might also force the laptop to 10Mb/s, too, so you might not have 
to configure any adapters to 10Mb/s).
> I'm guessing the incoming packets are being sent only to the router, and not
> to the monitor laptop. Does it make sense that the hub would be able to do
> this, considering the destination machines are not directly connected to the
> hub?
Yes - if the WRT54GS is acting as a NAT box, so that it has whatever 
your ISP thinks is your IP address, then, as far as the cable modem is 
concerned, the destination machine is the WRT54GS, and it *is* directly 
connected to the hub.
> The outgoing packets are being sent to the router as well as to the monitor
> laptop, so I'm guessing the hub isn't able to figure out where these packets
> should be sent for some reason.
Or that it can figure out which 10Mb/s ports should get those packets 
(the cable modem), but it sends them to *all* 100Mb/s ports (including 
the laptop).