First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

USB Capture Of Ethernet Traffic Using Sharktap

I'm new to wireshark and sharktap so please forgive if this is a silly question or has been previously answered. I'm trying to capture Ethernet data between a HMI screen and a PLC using a Sharktap USB but have to send the data through a usb converter as my computer doesn't have an Ethernet port. The IP addresses of the HMI and PLC aren't showing up but rather I'm getting new IP addresses assigned by the host. Is there any way to see the original IP addresses so that I can more easily analyze the traffic? Thanks in advance for any help.

JV's avatar
1
JV
asked 2019-07-11 20:06:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Is your setup like this:

         Ethernet
HMI ---------------- PLC
             |
             |
         SharkTap
             |
             | USB
             |
           Laptop

Where does the Laptop USB to Ethernet adaptor fit in?

grahamb's avatar grahamb (2019-07-11 20:36:29 +0000) edit
more
  • delete

The PLC is connected via a switch but otherwise yes. I also tried using the Ethernet tap on the Sharktap to run to a Ethernet to USB adapter and then to the laptop. Both methods yielded the same result.

JV's avatar JV (2019-07-12 13:06:31 +0000) edit
more
  • delete

UPDATE*

A coworker with a different laptop was able to capture the traffic as intended with the proper IP addresses. When he plugs the Sharktap into his laptop, "Ethernet" channel appears in the Wireshark main window. So now it's a question of does his computer have a plugin or driver that mine doesn't or did I miss an option on install?

JV's avatar JV (2019-07-12 19:24:57 +0000) edit
more
  • delete

According to http://www.midbittech.com/usb/USB%20S..., you may need to restart the capture driver. Also, which capture driver do you have installed (WinPcap or Npcap) vs. which one is installed on the laptop that works? If it's npcap, then you might need to "net stop npcap", "net start npcap" instead of "net stop npf", "net start npf". Alternatively, if the drivers differ between machines, you could try to uninstall the one that doesn't work and install the one that does?

cmaynard's avatar cmaynard (2019-07-12 19:47:13 +0000) edit
more
  • delete

I was using USBPcap. Wireshark also has "Npcap loopback adapter" but it never showed anything during capture. I will determine the difference between laptops and see where to go from there.

JV's avatar JV (2019-07-12 19:57:58 +0000) edit
more
  • delete
add a comment see more comments

3 Answers

0

I took a look at the the website of the makers of the SharkTap. It seems that the SharkTap USB has a built-in USB-Ethernet adapter so you do not need to add an external one. What is the reason you are using a separate one? Did you also try using the built-in USB-ethernet adapter to capture on?

As for not seeing the IP adresses of the HMI and PLC, are they both directly connected to the SharkTap NETWORK interfaces? So no switches, hubs etc involved? If so, did you enable "Promiscuous mode" on the capture interface (the external USB-Ethernet adapter)? And do you know for sure this adapter supports "promiscuous mode"?

SYN-bit's avatar
18.5k
SYN-bit
answered 2019-07-11 21:57:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I've tried both the external and the built in on the Sharktap. Both rendered the same result. The system has a switch as well and I placed the Sharktap in between the HMI and the switch. I would have to look into whether or not the adapter supports promiscuous mode.

JV's avatar JV (2019-07-12 12:37:35 +0000) edit
more
  • delete
add a comment see more comments
0

Reading the SharkTapUSB 10/100/1G Quick Start Guide, it appears that, if you plug the SharkTap into a computer's USB port, it will appear as a (USB-attached) Ethernet adapter if your operating system has a driver that supports the ASIX AX88179 Gigabit Ethernet Adapter chip they use, so you would just capture on that Ethernet adapter. No separate "USB converter" is required. They also indicate that both Windows and "recent Linux distributions" have drivers for that adapter chip.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-07-11 22:40:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

My laptop does support the built in chip. I've tried both methods with the same results.

JV's avatar JV (2019-07-12 13:04:16 +0000) edit
more
  • delete
add a comment see more comments
0

Final Update

The "turn it off and turn it back on again" strikes again. For whatever reason, uninstalling everything and reinstalling (nothing different on options selected) was the solution. I can see the true IP addresses and the packets of data are coming in properly. Thank you everyone for your help!

JV's avatar
1
JV
answered 2019-07-15 20:45:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer