Wireshark does not capture free arp packets (opcode2). Only arp announcement packages (opcode1). While running wireshark on the windows 10 computer, I turned on the other computers, but wireshark does not capture free arp (opcode2) packages from the machines that are being connected.
1
- Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can post and accept your own answer.Ron Maupin– Ron Maupin ♦2020-12-17 15:45:57 +00:00Commented Dec 17, 2020 at 15:45
Add a comment |
1 Answer
ARP requests are broadcast, so every device on the LAN will see them. ARP replies are unicast, so only the destination on the LAN will see them on a switched network.
Switches forward broadcast frames to every interface, other than the one on which the broadcast was received. That mean every host on the LAN will see a broadcast frame.
Switches learn which unicast addresses are on which interfaces, and the switch will send a unicast frame only to the interface where that address was seen. Only when a switch has not seen a unicast address (unknown unicast) does it send the unicast frame to all the other interfaces.
What you are observing is what should happen on a switched network.
- I still can't capture free arp (opcode2). I am using Wireshark 2.4.13. Is there a tutorial showing the process?Rafa skrock– Rafa skrock2020-03-08 13:17:14 +00:00Commented Mar 8, 2020 at 13:17
- 1You must be on the machine to which the reply is unicast. The way a switched network works, you must be on the destination of any unicast frames in order to receive the frames. You could, depending on the model, configure a switch to mirror all traffic to a particular host.2020-03-08 15:51:32 +00:00Commented Mar 8, 2020 at 15:51
- See also the Wireshark FAQ: wireshark.org/faq.html#_capturing_packetsrichardb– richardb2020-03-08 20:09:33 +00:00Commented Mar 8, 2020 at 20:09