This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Source/client packets don’t display in wireshark but inbound response packet are seen

0

Weird issue. I used to see all outbound and inbound packets in wireshark on my Lenovo Thinkpad T520 but now I can't see or capture any outbound packets but I certainly see the inbound/response packets. I am using Win7, fully patched, with 1.8.1 currently but upgrading didn't help. My colleagues who have T520 models works without issue. I have removed the network drivers and re-installed them. Anyone have any ideas why this might be happening?

asked 09 Jul '13, 16:28

markvi's gravatar image

markvi
11112
accept rate: 0%

Is this a wired or wireless connection? If wired, are there VLAN tags present?

(09 Jul '13, 16:38) Jasper ♦♦

Is it possible that you have more than 1 interface and outbound packets are leaving on one interface while inbound packets are arriving on another interface? Wireshark 1.8 supports capturing on multiple interfaces simultaneously, so you could try doing that.

Do you have any capture filter applied which might be excluding outbound packets?

(09 Jul '13, 17:58) cmaynard ♦♦

The laptop has both a wired and wireless interface. I have tried the various combinations including enabling both, selected only the wired, selecting only the wireless, etc and no combo seems to make a difference. I have verified there is no filter attached and the settings look correct.

(10 Jul '13, 06:16) markvi

One Answer:

1

I guess it's some interfering software (AV, Firewall, Endpoint Security, VPN Client, etc.). Disable all of them OR boot the system with a bootable Linux CD (BackTrack, Ubuntu, Knoppix) and then try again, just to rule out any hardware problems. If it works with Linux, it's most certainly some software on your system or a system setting (TCP offloading in the driver, etc. - see links below).

Please see also (my) answers to the following questions (especially regarding chimney).

http://ask.wireshark.org/questions/11714/only-inbound-traffic
http://ask.wireshark.org/questions/13131/wireshark-does-not-capture-packets-w-payloads
http://ask.wireshark.org/questions/17865/tcp-retransmits-on-windows-server-for-slow-connections

Regards
Kurt

answered 10 Jul '13, 01:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Jul '13, 01:10

Thanks for the info. I can try using the Linux boot approach to rule out hardware.

(10 Jul '13, 06:18) markvi

O.K. If that works, please disable chimney first (see one of the links) and then check for any interfering software (see above).

(10 Jul '13, 07:09) Kurt Knochner ♦