This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark only capturing incoming packets

2
1

On my Windows 7 laptop I can only capture incoming packets, nothing shows up in the outbound direction. I've remove all firewall and VPN software installed on my system but it hasn't made any difference.

I get the same behaviour using wired or wireless NIC. Anyone have any suggestion of what I can try next?

asked 22 Nov '13, 15:03

dsuida's gravatar image

dsuida
466710
accept rate: 0%

edited 15 Jan '14, 07:10

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

how did you 'remove' the VPN and Firewall software? By disabling it or by uninstalling it?

(22 Nov '13, 15:04) Kurt Knochner ♦

same problem here, windows 10, open vpn and checkpoint vpn, symantec firewall... and can see only incoming traffic....

(27 Apr '16, 06:25) kdani

2 Answers:

1

There have been several reports of that kind of behavior. In some cases there has been interfering software that intercepted outgoing packets in front of WinPcap and thus Wireshark never received those packets.

See here:

http://ask.wireshark.org/questions/11714/only-inbound-traffic
http://ask.wireshark.org/questions/17638/no-outgoing-packets
http://ask.wireshark.org/questions/14669/only-see-inbound-traffic

As both of your interfaces (wlan and ethernet) are affected, the problem is (most certainly) not related to TCP/IP offloading (another problem that can lead to missing traffic in one direction).

So, please try to uninstall ANY software that might interfere with the network traffic, like:

  • VPN
  • Firewall
  • AntiVirus
  • Endpoint Security
  • WAN Accelerator client software
  • any other software that 'hooks' into the TCP/IP stack

If that does not work, you can still boot your PC from a Linux CD or Flash drive and capture traffic there (Ubuntu and/or Kali Linux do work well).

Regards
Kurt

answered 22 Nov '13, 15:14

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Nov '13, 15:22

Saw those links and such and tried their recommendations before I posted. Uninstalled everything that I thought could possibly be interfering with the TCP/IP stack and then rebuilt the stack. Still having the same issue.

Booting up to a CD or from a USB is a pain. I'd like to find out what the issue is on my PC.

(23 Nov '13, 04:50) dsuida

Booting up to a CD or from a USB is a pain.

really? It just takes 1 minute on my system. How long will it take to find the problem in windows? ;-)

I'd like to find out what the issue is on my PC.

O.K. if you can't find any interfering software, did you think about installing Windows from scratch?

Or if that is not an option, to only capture the traffic with Microsoft Network Monitor (maybe that one works) and then analyze it with Wireshark?

(23 Nov '13, 09:30) Kurt Knochner ♦

I had similar issues when trying to capture with my 64 bit Windows 7 pro machine. Restart the PC and re-install Wireshark didn't help. After remove "SonicWALL Global VPN Client" software from the machine, Wireshark is now able to capture packets in both direction.

(29 Feb '16, 11:38) HC1

I can confirm uninstalling SonicWall's Global VPN Client cures an issue where wireshark can see only inbound traffic.

(07 Sep '16, 15:27) kbulgrien

A much better solution than uninstalling the whole VPN software is to uncheck the VPN software item from the Properties>Networking section on the interface you are trying to capture. That way you can re-check it when you need to use it next time.

(04 Jan '17, 10:37) Hiro14

I found that my computer had something called DNE Lightweight Filter listed under the Ethernet properties>Networking tab section. I think this was installed by my SonicWall Global VPN application. If you see anything like 'filter' or 'vpn' service enabled on your ethernet adapter, you can disable it by unchecking the box. Then you should be able to capture source traffic again.

alt text

(04 Jan '17, 10:40) Hiro14

Excellent answer, thank you very much!

(29 Jan '17, 12:38) vasudevakama...
showing 5 of 7 show 2 more comments

0

Hi,

Please try the latest Npcap 0.06 R10 here: https://github.com/nmap/npcap/releases

Npcap is a NDIS 6 filter driver and maybe intercept before those softwares like firewall, VPN, etc. So you can see all the traffic.

answered 18 Mar '16, 18:05

Yang%20Luo's gravatar image

Yang Luo
9117
accept rate: 4%

Hi,

I installed wireshark 2.0.2 on Windows 10. Same problem, no incoming traffic captured. I installed last npcap version: no change. I stoped my VPN clients and antivirus/fw: no change I checked Chimney offload parameter: disabled.

Any idea?

Regards.

Pascal

(11 Apr '16, 09:01) pmassu

@msmorten

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information. You've managed this a few times recently, please try to follow the site format and policy.

(11 Apr '16, 14:41) grahamb ♦

@pmassu

Hi. It's a weird case that never happens before. As this also happens on WinPcap, it should not be a bug of Npcap.

I think it's because you have installed wrong network drivers. Please uninstall any 3rd-party network drivers like the VPN and anti-virus you said.

Notice: you only stopped those software clients (GUI). This is DIFFERENT of unloading their drivers. Their drivers are still running background probably.

You need to stop them manually using "net stop <service_name>" command. If you have no idea about this, just uninstall them all. This is the best way to check.

(11 Apr '16, 17:26) Yang Luo

Hi, when i said in my previous comment i installed npcap, i fact i didn't pay attention but the npcap loopback adapter was not appearing even when doing ipconfig. So i checked that all VPNs, Anti virus and Firewall services were stopped and then reinstalled npcap and wireshark. Now, loopback adapter seems to be properly created and seen by wireshark. Npcap loopback adapter: -IP: 169.254.220.193 -Net mask: 255.255.0.0 -default gateway: <none> Network interface wi-fi: -IP: 192.168.1.110 -Net mask: 255.255.255.0 -Default gateway: 192.168.1.1

However, when i do a capture with wireshark on loopback interface, no traffic is captured.

(12 Apr '16, 01:12) pmassu

@pmassu

Like I said in the README of Npcap GitHub homepage, Windows will show IP of Npcap loopback adapter to be something like 169.254.220.193, but we should always regard its IP as 127.0.0.1 and ::1.

Not every system generates loopback traffic very fast. You could run "ping 127.0.0.1" and "ping ::1" commands, and check if the ICMP and ICMPv6 packets show up in Wireshark. If they are there, then your loopback interface is fine.

(12 Apr '16, 01:46) Yang Luo