First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to avoid traffic generated by the capturing laptop?

Dear friends

This is the scenario: There is a wireless ethernet connection between a modbus client and a server. There is an administrable L2 switch connecting them. I require to capture and analyze the traffic between both equipments using a laptop with Wireshark installed and a physical ethernet connection to the administrable switch.

The normal procedure is configurate a mirror port in the L2 switch, mirroring the traffic of the connection port to the client (or server), and connecting to the this mirror port.

After the capture is done, the packet analysis shows the traffic generated between client and server as expected, but also it show traffic generated by the connection of the laptop to the switch (shows the MAC / IP of the laptop). Also I can detect that some of the packets generated by the laptop goes through the wireless connection.

Probably you would advice to use a filter to avoid capturing the traffic generated by the laptop, applied after the capture, which solves the analysis problem, but in this particular case, it is required to avoid the traffic generated by the laptop, during the capture, because the wireless link is bandwidth limited (is an industrial 400 MHz radiolink of 170 kbps), so is very sensitive for any additional traffic.

So, in this scenario my question is what would be the correct way (equipment, connection, configuration) for an "strictly hearing" capturing procedure, avoiding any traffic generated by the connection of the capturing laptop. Is it possible in first way?

Thank you in advance for your help!

lacv2k's avatar
1
lacv2k
asked 2023-07-20 18:12:06 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Assuming you work on a Windows laptop (you didn't specify) the trick is to go into the adapter properties, or whatever it's called, and disable all services, protocols etc attached to that interface. This way it becomes idle, i.e. won't send traffic.

Jaap's avatar
13.7k
Jaap
answered 2023-07-20 20:47:40 +0000
edit flag offensive 0 remove flag delete link
more

Comments

It may break things you may rely on as a side effect. And make you take notes of what you removed if you want it to be restored later.

hugo.vanderkooij's avatar hugo.vanderkooij (2023-07-21 07:10:35 +0000) edit
more
  • delete

Don't remove things just uncheck the bindings, see @Jasper series on the Network Capture Playbook, Part 3, in the section "Passiveness".

grahamb's avatar grahamb (2023-07-21 09:18:24 +0000) edit
more
  • delete

Thank you for your answer and further clarifications, friends. I do use Windows, so your answer applies! I understand the procedure. Excellent precision by grahamb, I will follow the indications and posted if there are further issues. Thanks a lot!

lacv2k's avatar lacv2k (2023-07-21 17:55:49 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer