Page 1 of 2

Wireshark

Posted: Fri Feb 10, 2017 10:17 pm
by TowerTech
Guys,

Can you tell me the syntax to start Wireshark to capture a port on a Netonix switch we have. We have a odd occurrence with a tower top switch we can't see it's IP but we can see it's MAC in the Mac Table show up.

We can scan the subnets and it is not showing up. Am looking to see if we can see it's MAC in wireshark and locate it's ip.

Thanks

Stu

Re: Wireshark

Posted: Wed Mar 15, 2017 11:42 am
by CuninganReset
You need to connect to any port of the switch and open Wireshark and listen to any packet.
Once you have a good list of packets filter by MAC

Re: Wireshark

Posted: Wed Mar 15, 2017 12:05 pm
by sirhc
Or if you have latest firmware v1.4.7rc14 (which I hope you do) and you have Discovery service(s) turned on it can be discovered by UDP, LLDP, CDP protocols.

I am guessing you tried a reboot?

Of course it may have been damaged or failed in which case your going to have to climb.

Now of I was going to have a switch up on a tower where it is hard to get to I would make sure I had the latest MODs to help protect against ground current and static discharges especially if you do not have your tower ground rods bonded to your service ground rods.

All switches manufactured after September 2016 have the MODs.

Users can make the MODs themselves if they wish which is explained here: viewtopic.php?f=17&t=2584

The importance of bonding ground rods between tower grounds rods and electric service ground rods to insure no ground potential differnce as well as running a dedicated ground wires up to equipment is explained in these posts. This makes sure all ground potentials are the same and the Ethernet cables do not try to carry the ground current which EThernet Surge Protectors do not help against. And using Ethernet Surge Protectors with "PASSIVE" POE switches/devices can cause more harm than good because most work by clamping all wires to ground which makes a DEAD SHORT and you fry your switch port or worse. Most Ethernet Surge Protectors are designed to work with "ACTIVE" POE and POE Bricks which in either case will not damage them but "PASSIVE" POE is a differnt animal:
viewtopic.php?f=30&t=1816
viewtopic.php?f=30&t=188
viewtopic.php?f=30&t=1429
viewtopic.php?f=17&t=1786&start=30#p13447
https://community.ubnt.com/t5/airFiber/ ... rue#M31070

Re: Wireshark

Posted: Sun Mar 19, 2017 11:19 pm
by TowerTech
Still need to know syntax to use wireshark that is loaded on my Ubuntu Laptop to get in and monitor a port on my Netonix Switch.

Can anybody help? Second request.

Re: Wireshark

Posted: Sun Mar 19, 2017 11:32 pm
by sirhc

Re: Wireshark

Posted: Mon Mar 20, 2017 6:34 am
by TowerTech
I have a Netonix Switch that we have lost IP for When I look it up in the mac table lookup this is what we get. It's a mid tower switch and would require a climb.

"ec-13-b2-91-38-ef 1 1 Netonix Unknown"

It shows MAC but no IP.

What is your advise to get the IP Sirhc?

Re: Wireshark

Posted: Mon Mar 20, 2017 8:41 am
by sirhc
I do not use wireshark a lot and only have used Wireshark on windows a few times and I know just enough to get by with Linux.

I am not super familiar with Wireshark but have been able to muddle my way through to achieve what I needed referencing the manual.

"If" you have your firmware up to date which you "should" and you have at least one discovery protocol turned on in the switch:

Current version v1.4.7rc14 (Which has all the bug fixed reported to date in v1.4.6)

UDB - Ubiquiti Discovery Protocol - Same program used to find UBNT devices
CDP - Cisco DIscovery Protocol
LLDP - Link Layer DIscovery Protocol

Then you can find the switch with a discovery program.

Re: Wireshark

Posted: Mon Mar 20, 2017 10:57 am
by lligetfa
TowerTech wrote:I have a Netonix Switch that we have lost IP for When I look it up in the mac table lookup this is what we get. It's a mid tower switch and would require a climb.

"ec-13-b2-91-38-ef 1 1 Netonix Unknown"

It shows MAC but no IP.

What is your advise to get the IP Sirhc?
It is entirely possible that MAC does not have an IP. Do you not keep records of all your equipment MAC addresses?

Probably it is used only on the broadcast domain and so doesn't need an IP.
Selection_012.jpg

Re: Wireshark

Posted: Tue Mar 21, 2017 8:26 am
by mike99
I would use port mirroring for this. Just connecting a PC to the switch won't allow to view all traffic, only broadcast. Only a hub allowed to see all traffic. You must mirror the traffic to a PC with wireshark.

Re: Wireshark

Posted: Wed Mar 22, 2017 8:25 am
by TowerTech
Mike 99, Thank you!

I am hunting the script tp launch wireshark remote to afix it to one of the switch ports that is connected to the switch I am having issues finding the IP.

Reason is I can not locate the IP of the switch I need to get into and I need to use wireshark to attempt to sniff the packets on the port that missing switch is connected to since it's a tower top switch.

Do you by chance have the actual syntax I need to log on to the switch with wireshark remotely ? From what I gather it is syntax that launches wire-shark automatically and binds it to the port. (windows or linux I have both machines,)