6

I used 

sudo tcpdump -v -i eth0 ether proto 0x0842 or udp port 9

but didn't see anything when WakeMeOnLan from NirSoft wakes the computer.

The same with Wireshark

enter image description here

Dims
  • 3,181
  • 9
  • 49
  • 107
  • Target computer was turned off and can't execute any code. Source computer was running both `WakeOnLan` and `wireshark` – Dims Mar 16 '19 at 08:45

2 Answers2

6

With this command you can reduce the output from the to just the that was attempted to be woken:

tcpdump -UlnXi eth0 ether proto 0x0842 or udp port 9 2>/dev/null |
sed -nE 's/^.*20:  (ffff|.... ....) (..)(..) (..)(..) (..)(..).*$/\2:\3:\4:\5:\6:\7/p'

This catches wakeups from etherwake, ethertype 0x0842 (AMD magic packet format), and wakeonlan(UDP:9), but requires the interface run in promiscuous mode.

Output for this example is like:

44:55:33:11:56:66
11:22:33:66:56:af
11:be:33:ef:56:af

To test from a different computer with either of e.g.:

wakeonlan 12:de:ad:be:ef:56
etherwake -i wlp2s0 -b 31:32:33:34:35:36

To catch only the ones coming via UDP (e.g. wakeonlan command), you can use this script that doesn't require promiscuous mode:

nc -dknl -p 9 -u |
 stdbuf -o0 xxd -c 6 -p |
 stdbuf -o0 uniq |
 stdbuf -o0 grep -v 'ffffffffffff' |
 while read ; do
   echo ${REPLY:0:2}:${REPLY:2:2}:${REPLY:4:2}:${REPLY:6:2}:${REPLY:8:2}:${REPLY:10:2};
 done

Instead of the while read ... echo blabla you could launch other actions.

Alex Stragies
  • 5,857
  • 2
  • 32
  • 56
3

Wikipedia has this to say about the structure of a Wake-on-LAN packet (emphasis mine):

The magic packet is a broadcast frame containing anywhere within its payload 6 bytes of all 255 (FF FF FF FF FF FF in hexadecimal), followed by sixteen repetitions of the target computer's 48-bit MAC address, for a total of 102 bytes.

Since the magic packet is only scanned for the string above, and not actually parsed by a full protocol stack, it could be sent as any network- and transport-layer protocol, although it is typically sent as a UDP datagram to port 0, 7 or 9, or directly over Ethernet as EtherType 0x0842.

So, your current capture filter is not guaranteed to catch all WOL packets. And according to the documentation, it seems the WakeMeOnLan application has multiple ways to send the WOL packet, so you might need to make a short unfiltered test capture to find out what kind of WOL packets the application is sending, and then tailor your filter accordingly.

Community
  • 1
telcoM
  • 87,318
  • 3
  • 112
  • 232