This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why can’t Wireshark catch packets?

0

Hi guys:

My OS is windowsxp.When I use Wireshark to catch the packets between server and client who are both running on my comuputer,I can't catch any packets between them. But on the other hand,I use command 'netstat' to show connection between them and still find the establishment between them.

Maybe I can figure out the reason why Wireshark catch no data.(Because of their correspondence relys on LoopBack and datas aren't sent by interface.) Strongly I have no idea about the result that 'netstat' shows.In my opinion, netstat is connected with TCP/IP protocol and no three-way handshaking means no establishment,so how can netstat show this kind of result? It's a very confusing and contradictory result.

The result just look like belows:

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:60000 0.0.0.0:0 LISTENING 2924

TCP 172.16.80.65:60000 172.16.80.65:1827 ESTABLISHED 2924

asked 14 Jun '12, 01:11

waterjacky's gravatar image

waterjacky
1224
accept rate: 0%

edited 14 Jun '12, 01:22


One Answer:

0

Unfortunately you cannot sniff the loopback interface on Windows with Wireshark (WinPCAP).

http://wiki.wireshark.org/CaptureSetup/Loopback

Regarding the netstat output (IP address not beeing the loopback address). What you see, depends on the IP address used by the client to connect to the server.

telnet 127.0.0.1 445

TCP 127.0.0.1:1058 127.0.0.1:445 ESTABLISHED

telnet 192.168.30.142 445

TCP 192.168.30.142:1059 192.168.30.142:445 ESTABLISHED

BOTH connections won't show up in Wireshark, as both are handled internally in the IP stack.

Finally here is an explanation for the last line of your netstat output:

TCP 0.0.0.0:60000 0.0.0.0:0 LISTENING 2924
TCP 172.16.80.65:60000 172.16.80.65:1827 ESTABLISHED 2924

Windows shows ESTABLISHED connections in this format

LOCAL_ADDR:LOCAL_PORT REMOTE_ADDR:REMOTE_PORT.

If the connection was established from the same machine, you will see two entries:

TCP 172.16.80.65:60000 172.16.80.65:1827 ESTABLISHED 2924
TCP 172.16.80.65:1827 172.16.80.65:60000 ESTABLISHED xxxx

2924 is the PID of your server process and xxxx is the PID of your client process.

Please run this command netstat -nabo -p tcp (be patient, it can take some time) and review the result.

Example, after telnet localhost 445

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:445 127.0.0.1:1073 ESTABLISHED 4
TCP 127.0.0.1:1073 127.0.0.1:445 ESTABLISHED 2884

Regards
Kurt

answered 14 Jun '12, 01:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 14 Jun '12, 03:38