First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Does Wireshark captures the packets when system is in hibernation/Sleep?

  • retag add tags

Does Wireshark captures the packets when system is in hibernation/Sleep?

asked 2017-12-21 12:43:49 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

No, is there any other program that keeps running?

Jaap's avatar
13.7k
Jaap
answered 2017-12-21 12:58:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks for the update. My system is getting auto-wake from hibernation when I connected with LAN network without any user interruption. I am suspecting some ARP packets are waking the machine from hibernation. Is there a way to verify the cause for the system auto-wake.??

You feedback will be appreciated..!!

I checked for the the windows event logs, last wake source and few more possible sources but no where it's capturing the cause for the auto-wake.

Thanks, Nagarjun

nagarjun031's avatar nagarjun031 (2017-12-21 19:24:31 +0000) edit
more
  • delete

Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones. To find out whether the WOL ones are being sent to your sleeping machine, you have to use another machine to capture on the path between the sleeping machine and the rest of the network, using a hub or a port-mirroring switch.

sindy's avatar sindy (2017-12-21 19:55:24 +0000) edit
more
  • delete

Normally special Wake-on-LAN (WOL) packets are required to do that, not just ARP ones.

Some network adapters can be configured to treat non-WOL packets as wakeup packets, so that an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up, so the machine can go to sleep and still respond to incoming packets. As I remember from looking at this a while ago, Windows supports that.

Guy Harris's avatar Guy Harris (2017-12-21 20:10:47 +0000) edit
more
  • delete

an incoming ARP packet asking for that host's MAC address, and incoming unicast packets, will wake the machine up

Learning something new every day... however, this does not change the detection method needed. Run a capture on the external machine, hibernate the one which gets woken up, and stop the capture as soon as it gets woken. Then, some of the packets sent towards the sleeping machine - WOL packets, ARP requests, maybe unicast packets (sent towards a cached MAC?) - just before those sent from its MAC are the suspects. The longer it could sleep the better to find the suspects.

sindy's avatar sindy (2017-12-21 20:23:25 +0000) edit
more
  • delete

sent towards a cached MAC?

Not necessarily - that's why the adapters let you set a "wake me up" pattern that includes an ARP request asking for your MAC address. See, for example, Power Management for Network Devices in Windows 7.

Guy Harris's avatar Guy Harris (2017-12-21 20:41:14 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer