Filtering for wake on LAN-Packets

Question

Hallo everybody,

i've been investigating this already several times but with no result. i administrate a home network with about 15 clients and 1 server which runs Windows Home Server 2011.

one of these clients is woken up randomly by wake on LAN (this is not confirmed fact but in my opinion the only plausible explanation). There is no obvious behaviour pattern and this is annoying for me because I have to pay the electricity bill ( ---> 600 Watt power supply ). So i installed Network Monitor on the WHS for the search for magic packets and its source, but i found no appropriate filter to do so. I've tried this filter:

Ethernet.DestinationAddress == Broadcast OR
Ethernet.DestinationAddress == 00-26-2D-0A-25-CA AND
Framelenght == 102 AND    //This is invalid, but i found no valid equivalent
FrameVariable.FrameData ContainsBin(FrameData, HEX, "00 26 2D 0A 25 CA 00 26 2D 0A 25 CA")

as you can see i tried to build a filter around the characteristics of the magic packet. in my last capture was no WOL-packet but a lot of MAC-adress-based noise like ARP and DHCP.

Has someone an idea for a proper filter? (or maybe why the PC is booting)

Thanks in advance! :-)

Answer 1

I can help with the filter, though I'm not sure whether this is a WOL problem or not.  Though one thought would be to turn of WOL on the BIOS if you want to rule that out.

(Ethernet.DestinationAddress == Broadcast OR
Ethernet.DestinationAddress == 00-26-2D-0A-25-CA) AND
FrameVariable.FrameLength== 102 AND 
ContainsBin(FrameData, HEX, "00 26 2D 0A 25 CA 00 26 2D 0A 25 CA")

FrameVariable has the framelength and other frame related metadata.  ContainsBin takes as it's first param "FrameData" which tells us what to search.

Also, since you are sniffing on the WHS, you must put it in promiscious mode.  By default it will only listen to traffic destine to it's NIC. It will see the broadcasts, but not if the packets destination is the machine in question.  The second issue, which might be harder to affect is that routers/switches will block traffic in many cases.  So the WOL packet, or other traffic, that is not destine for the capturing machine might never receive it.  One solution around this problem is to configure your routers to forward traffic (usually called port mirroring or port spanning).  Another possibliity is to use a dumb hub and attach it to the client machine.  Then hook up another machine running Network Monitor running in promiscious mode.

Thanks,

Paul

Answer 2

Thanks for your reply Paul! :-)

i have considered the issue with the switch already, but i hope this doesn't come into effect because WOL-Packets should be sent by broadcast as far as i know. I haven't tested the filter you contributed so far, but i will let you know then right here :-)