Want to use WireShark to verify that packets that start out at Location A reach the right address at Location B.
The hitch is that the addr at Location B is an IP cam.... so I want to swap out the dumb switch at Location B for one that can mirror everything that hit's that IP cam's addr to another outlet on the switch that is connected to a PC running WireShark.
I see plenty of stuff for big bucks.... but can anybody recommend something for less than $200?
Before you do that, can you run one of the failing cameras on local power and NOT use the PoE power? If it continues to work, with the remaing two HikVision cameras fail, then there's something odd happening inside the Trendnet PoE thing.
Running it on external power also helps for sniffing the traffic with Wireshark. I have an Ethertap, but in this case, it's overkill. I suggest you simply insert a 10/100baseT *HUB* (not an ethernet switch) in series between the Trendent switch and whatever you're testing. Hubs are "repeaters" which means the retransmit everything that goes in any port, to all the other ports. I carry a hub around in my Subaru specifically for such sniffing. Light reading:
Otherwise, you get to build a passive ethernet tap:
I like the hub. Sounds like something I should get ASAP and add to my Ethernet Tools box just on GPs.
One issue here is that I cannot provoke the problem for study purposes. I have to have everything in place and ready to go and then wait for the problem to manifest.
Should have thought to replace the POE power on a problem cam... but I did swap out the POE switch (same make, similar model albeit with higher power.... 1.25a instead of .8a).... with no change in the problem cams... so I am thinking maybe that lets the POE switch off the hook. But the next time I go down there, I will plug one of the problem cams into a non-powered port and supply power separately.
Yep. It's handy. Someone on eBay is selling old Netgear 10/100 hubs specifically for use with Wireshark at outrageous prices.
Nothing every fails when you're watching. Try turning your back.
What I do for such things is install monitoring or instrumentation. If the devices can handle SNMP, I install a MIB browser and MRTG grapher on a loaner PC. I NEVER install it on one of the customers machines because that might affect the failure mode. For extreme cases, I monitor AC line voltage, temperature, and server room lighting, all of which have played a part in past failures.
However, in this case, methinks it's a bit extreme. Fire up some kind of uptime monitor that uses ping to track failures. You'll get a good display and history on what parts of the network are failing.
Also, look for "new" devices. For Linux, I use arpwatch. For Windoze, Airsnare:
In other words, bait the trap, and wait for the culprit.
Ummm... I mentioned it twice in previous advice. PoE has been a rather odd problem for me. When it fails from overload or insufficient AC voltage, there's sometimes no indication that anything has gone wrong.
Probably, especially since power cycling the Ubiquiti radio (which end?) recovers the connection and has nothing to do with the PoE system, unless the Ubiquiti radios are running on the PoE switch. Oh-oh.
Just one camera on AC power. There are three HikVision cameras that are affected. The Trendnet camera seems immune. The idea is to locally power only one of the HikVision cameras, to see if it makes a difference. If the other two PoE powered HikVision cameras fail as before, but the one running on AC continues to operate, then it's like it has something to do with PoE.
I am thinking about dropping $260 on a NetGear 8-port smart switch as in
The plan is to temporarily swap it in at the problem IP cam site so that I can do two things:
- Mirror the port of one cam to a PC so I can WireShark the traffic
- Selectively turn cameras off so I can test somebody's hypothesis that there is a bandwidth issue.
And, once it's job is done there, I'll take it home and expect some hours of entertainment sniffing around my own LAN.
One of my assumptions vis-a-vis all smart switches is that their setup is via web pages that are accessible over the WAN or, at least, over their LAN. i.e. no travel to the site where they live is needed.
There are a bunch of GS110TP-100NAS used switches for sale on eBay for about $75.
Note that there is also the later GS110TP-200NAS and other options. I don't have time to decode the differences right now.
One of my customers has one that I setup solely for MAC level traffic shaping. (i.e. low priority and bandwidth to "guest" traffic). I've never tried the port mirroring.
It has a local LAN IP address on port 80, just like any other LAN device. If you want access from outside, you can either use Teamviewer on a local LAN PC, or setup your Comcast router for port forwarding, or run a VPN to access the entire LAN from your remote PC.
Have you ever used Wireshark? You don't just sit on a network and continuously sniff everything. You capture a set amount of data, typically about 5 minutes worth, and then have Wireshark decode the capture file.
You can run Wireshark continuously as a protocol analyzer, but you need lots of horsepower. If your monitor PC is located near the monitor port, that might work. If you are planning to backhaul the live capture data via the wireless bridge or even the wired network, forget it. You don't have the bandwidth.
I am currently trying to climb the learning curve. In fact, that is what led me to the smart switch/Ethernet hub thing: the realization that, if I want to sniff packets to (for instance) camera 10.0.0.145 WireShark running on a nearby PC cannot do it unless the traffic to
10.0.0.145 is also directed to the PC....i.e. "Port Mirroring" or a hub.
I can see I have a loooooong way to go.... but I'm sure to come out of this knowing stuff:
- That I did not know before
- That most people never even heard of
One more step up the curve... Thanks!.... My plan was to run WireShark continuously on each end of the radio link in hopes of having the cams go down while it was running. If I got lucky, maybe I could determine whether-or-not a given packet addressed to 10.0.0.145 made it across the radio link to the other side.
If packets are not making it... that would seem to further support the radio link theory. But if they *are* making it, that's a whole new ball game.
Right now, I am only doing Display filters. Could use of Capture filters reduce the horsepower requirements?
FWIW, my current working hypothesis is that static electricity is fouling up the radio links. How that could happen in such a way as to be camera-specific is waaaay beyond my pay grade.... but at least 3 Ubiquiti experts have noted that my failure to use shielded cable with a drain wire for serving an outdoors radio link sitting atop a 15-foot windsurfer mast is a major lapse in installation standards.
Something about wind blowing dust/sand past plastic - although this wire is inside the windsurfer mast except for about 18" up where the radio is attached.
But still, they're really adamant about the shielded/drain wire cable so that's been promoted to an ASAP thing.... I'll order the smart switch, wait for a decent day, drive down... and do it all:
- Swap out the switch
- Replace Cat5 unshielded w/shielded
- Install a 24-hour switch to just reboot the whole mess in the shop unconditionally at, say, 0100 every day
- *Try* to add a web-accessible switch at the server end so I can power everything there off/on at will.
Right now, I have a .BAT file that continuously pings a cam and writes the results to a .txt file. It's kind of kludgy - not smart enough to kick the timestamp date up when midnight passes... and I'm not sure it will tell me much except what I already know: that the ping results change in a predictable pattern when the cams go down.