This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

NTP responses are not shown by Wireshark once added to NLB

0

I have two servers running Windows Server 2008; both are running with a third party NTP server.

Before adding the server to NLB, when I send NTP requests to the server's IP address I could see request and response in Wireshark. Whereas once I add the server to NLB and when I hit the NTP request to NLB IP, I could see only the NTP requests hitting the server and there were no NTP responses shown in Wireshark. Meanwhile with another packet capturing tool (Microsoft Network Monitoring tool) I could see both request and response for all NTP packets. Also the NTP server's log shows both request and response.

  1. Microsoft Net Mon Capture - https://www.dropbox.com/s/um8ijkn1v25w9nf/Net%20Mon%20Capture.JPG?dl=0
  2. NTP Software Log - https://www.dropbox.com/s/a97h6jip709z8p9/NTP%20Software%20Log.JPG?dl=0
  3. Wireshark Capture - https://www.dropbox.com/s/wnarmznip9i9smb/Wireshark%20Capture.JPG?dl=0

Compare the timing across all the three pics. At 12:30:12 PM there is an incoming NTP request from 10.238.59.3(Client) hitting 10.238.160.1 (NLB IP address) and there were no response shown in Wireshark but the response can be seen in both NTP server trace and in NetMon tool trace.

Same can be found for subsequent requests as well.

Initially I tried with Wireshark v1.10.7 and later I checked with 1.12.x (which seems to be the latest version) but didn't help.

Note: I have 2 interfaces in server but one NIC is disabled.

Let me know if this is a bug with Wireshark. If not kindly give me suggestion to get the responses in Wireshark.

Thanks, Ashok Prabhu. J

asked 19 Nov '14, 21:04

Ashok's gravatar image

Ashok
16114
accept rate: 0%

edited 20 Nov '14, 01:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

1

Let me know if this is a bug with Wireshark. If not kindly give me suggestion to get the responses in Wireshark.

No, this is not a bug, it's a "limitation" of WinPcap (the capturing sub-system of Wireshark). It is related to the way WinPcap is inserted into the kernel to capture frames. If anything in the kernel "removes" the frames before WinPcap is able to see them, then you won't see anything in Wireshark. This is a known issue and is being reported for a some security software as well (VPN clients, AV, IDS/IPS, Endpoint Security, etc.).

See here:

https://ask.wireshark.org/tags/outbound/

Regards
Kurt

answered 20 Nov '14, 01:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt,

Thanks for your prompt response. Let me go through other posts and come back if I have any questions. Till then let the post be open.

Regards, Ashok Prabhu. J

(20 Nov '14, 01:45) Ashok
1

Let me go through other posts and come back if I have any questions.

If you are looking for a solution, I have bad news for you. There is no solution, except uninstalling the "offending" software, which would be kind of "tricky" in the case of NLB ;-)

So, your option is: Capture the traffic with Microsoft Network Monitor, if that works with NLB, and do the analysis with Wireshark.

(20 Nov '14, 01:53) Kurt Knochner ♦