Sniffing *ALL* Arduino Network Packets

For this post, I’m going to assume you are already somewhat familiar with WireShark/tcpdump for monitoring network traffic.

Wireshark is great for viewing packets, but it only sees the traffic coming to/from the system that is running it.

Generally, that is OK. If I want to what traffic coming from my Arduino to a web server, I run wireshark on the webserver and I can see see the traffic fine. 99% of the time, that is what I need to do and it works great.

Every once in a while, like today, I am having totally bizarre problems with the arduino and I want to see EVERY packet it transmits to try and find a clue to the bizzaro behavior I’m seeing. But I can’t run wireshark on an arduino so my normal tool fails.

Modern ethernet networks use switches to transmit packets. Switches look at the MAC address each packet and transfer them to the proper port on the switch so only that port gets traffic for the attached device. For example:


If you are running wireshark on PC B, you cannot see the traffic between PC A and the router.

There are some switches that will let you replicate traffic from one port to another. If I were using one of those switches, in this example, I could replicate port A to port B which would allow PC B to see PC A’s traffic. It used to be only high end switches had this feature. I’ve been out of the corporate network world for a while now, so I don’t know if the price of any switch with this ability is anywhere reasonable now. But I do know no consumer switch I’ve seen has this ability.

In the early days of ethernet, we didn’t have these smart switches. We had dumb hubs. Hubs blindly transmitted all traffic onto all ports:

If a hub were used in place of a switch, then PC B can see PC A’s traffic.

And that is how I monitor network traffic to dumb devices: I use a hub as a ‘wire splitter’ allowing me to connect a laptop to the Arduino so all network traffic can be monitored:


I’ve done this for many years and it works great. The only possible ‘problem’ is that hubs tend to run at 10BaseT (10mbit). But rarely do I need speed, I just need to see what is happening.

The real issue is finding a hub. I don’t know of anyone making them new any longer. You will almost certainly have to go to ebay to find one. Check very carefully to verify it is really a hub and not a switch. It should support the old 10BaseT protocol, not the more recent fast ethernet (100Base-T*). Fast ethernet is switched and that is not what we want.

I’ve been using an HP Advancestack Hub 8E since sometime in the 90’s (it is so old it has a thinnet BNC connector as well):


Netgear used to make a nice steel cased 4 port hub as well. It was as small as their current 4 port models which was handy.

Lastly, notice on the HP hub the Cascade Port. You could not hook a hub/switch to just any port on these old hubs. You would connect the uplink switch/hub cable into the cascade port. As I recall, this jack simply had the tx/rx pairs reversed because there was no auto sensing.


This entry was posted in c-arduino and tagged . Bookmark the permalink.

2 Responses to Sniffing *ALL* Arduino Network Packets

  1. Sean Straw says:

    Yea, I have an old 8 port 10bT hub on the equipment rack in my workspace at the office because it is dead simple to monitor traffic on some devices that way.

    Here’s a still active Amazon link for a 4-port hub:

    However, a good managed switch (not a basic $20 el-cheapo switch, but a managed one) should have “port mirroring” or similar, which allows you to monitor traffic on 100bT and gigabit networks (at least for traffic passing through that actual switch). I have a GS116E and several GS108E switches for my home network, and all of these support such features (as well as VLANS).

    This WireShark page can be a useful reference for locating switches with port mirroring capabilities:

    Note that you can also set up a system with two network interfaces and either bridge or route, thus it would be able to capture everything crossing it. There is also a device called the “Throwing Star LAN Tap” which you connect inline to a device (cable from switch to tap, cable from tap to device to be monitored), and then with separate cables you can tap either the TX or the RX for that device – it’s a bit more specialized and won’t function properly on gigabit links.

  2. Pingback: Using tcpdump with DD-WRT | Big Dan the Blogging Man

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.