I have Wireshark 1.10.7 running on a win7 machine with an Intel Pro/1000T NIC. I have the NIC configured without an IPv4 or IPv6 address and have the interface options set to promiscuous mode. The NIC is connected to a switch port that is configured to mirror all traffic to it from 1 other port. On that other port I have host sending a ping through the switch to another device that is responding. The Wireshark capture shows the ICMP requests, plus other background traffic from the same host, and some broadcast and multicast traffic, but no unicast traffic from any other host, including replies from the ping target. I have another Wireshark instance on an old Win31 laptop that, if plugged in place of the win7 machine, shows all traffic (ICMP requests, and responses, plus broadcast, multicast and traffic from other hosts). How do I fix the Win7 machine to capture all traffic? I've uninstalled and reinstalled Wireshark and WinPcap twice, including removing all user settings, and have updated the NIC driver, without success. This question is marked "community wiki". asked 09 Jun '14, 17:17  Jeff J showing 5 of 14 show 9 more comments |
One Answer:
Sounds like 'something' on your Win7 system prevents Wireshark from seeing all traffic. Please read the other questions tagged with 'outbound'. Usually its some piece of security software that causes the trouble
If any of that is installed on your Win7 system, disable or better uninstall it and then try again. Regards answered 10 Jun '14, 03:28  Kurt Knochner ♦ |
I ran into this same issue while assisting someone remotely troubleshoot a SIP softphone registration issue.
The Wireshark trace running on the customer PC along with the SIP softphone would show the responses from the server to the client, but never any of the Registration requests from the client to the server.
I then ping'd the server from the Win7 machine, and wireshark only showed the replies, not the requests.
Changed from wireless adapter to wired Ethernet port, and same results.
OS is win7 32-bit. No 3rd party firewall/AV/A-MW. Disabled windows firewall, uninstalled wireshark 1.10.7 and winpcap. Reinstalled...same thing.
This issue seems to not be going away and only increasing in reports. I completely understand the troubleshooting process of asking people to uninstall AV/Firewalls/VPN Clients, but are there any reports of anyone zeroing in on the source of the issue?
Yes, VPN clients and Endpoint Security!
Some of it is the way WinPCap fits into the network stack. WinPCap is an NDIS 5 Driver, if someone were to rewrite it to NDIS 6 then things might get better.
NDIS is explained here.
@grahamb,
Thank you for taking the time to respond with a very informative and helpful explanation for people like me who are simply trying to further their understanding of this issue.
I noticed that Microsoft Network Monitor uses NDIS 5 and NDIS 6. If I have read correctly, NDIS 6 supports wifi monitor mode which is why MNM can capture 802.11 traffic and Wireshark (windows) cannot.
If the above is true, I am extremely surprised it has not already been written with NDIS 6+ support.
Again, thanks for the education.
Travis
It takes time, and unfortunately those who have the ability don't have the spare time. It's a non-trivial undertaking.
To me it looks like the Winpcap project has stalled or is abandoned. People with an intrest to contribute should make their voice heard or do a fork. Just my 2 cents.
I agree. There seems to be no interest in developing WinPcap any further. I guess packet capturing on Windows is not a big business, neither commercially nor for an open source project.
As @grahamb said: re-writing the code for NDIS6 is a non-trivial undertaking. As there is not much 'fame' to earn by that kind of projects, the motivation to invest is probably not very high. Even Microsoft dropped 'support' for Network Monitor, as there was not much attention to that project, although it had some interesting aspects, especially that the dissectors (parser) were generated from a DSL and executed in a virtual machine. I wish they would donate the whole source code to the public, not just the parsers.
Network Monitor lives on in the guise of the new uber app Message Analyzer that can also handle log files and other Windows trace files.
I would love to have the time to space to rewrite WinPCap, I made a start to get it running with the latest WDK but it's quite a task.
well, that's the official story ;-) However, capturing network traffic with Message Analyzer is a total mess.
As they wrote in one of their blogs, they consider network packet capturing to be dead, so my interpretation is: they don't care too much about tools supporting network traffic capturing and/or analysis, that's why they abandoned Network Monitor and that's why support for packet analysis in Message Analyzer is less than worse, which in turn is good for Wireshark ;-)
Nevertheless, WinPcap needs a refresh to support Win 8.1 properly, as there have already been reports here about problems on Windows 8.1. The same holds true if Microsoft is going to release Windows 9. So, I wonder what the future of WinPcap and Wireshark will be on the Windows platform?
I personally have had no issues with WinPCap on two separate 8.1 machines.
I haven't tried Message Analyzer. As the blog then says in the first line "Long live capture". The essence is they are fusing all kinds of capture together in one interface, whether it works well at all I couldn't say. Wireshark is also moving in this direction for some things.
Adding links that may be of interest http://www.winpcap.org/pipermail/winpcap-users/2014-January/004855.html
http://www.winpcap.org/pipermail/winpcap-users/2014-February/004865.html
@Anders: thanks for the links.
Here is the download link for NPcap 1.x (NDIS 6 'enhanced' WinPcap): https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/installer/
I'm not sure there is much fame to be gained by writing for Wireshark either :-)
well... it's up to you to make that judgement. At least it's more 'fame' than for WinPcap ;-)) Only few people have ever heard of WinPcap and even fewer know what it is good for. A lot more know Wireshark. So, please keep contributing :-) I wish I had the time (and patience) to contribute code myself. Maybe some time ....