This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I've been using an application for sending/receiving data to multiple devices which are configured in persistent route through network. It's been working fine on Windows XP . I had switch to Win7 and found the application not able to send the data to devices any more from the PC ,but still it can receive the data.

I have tried changing configuration for NIC to allow jumbo packets, Disabled the firewall and anti virus but still I am not able to send the data.

When I install wire-shark on win 7 PC to capture data for analysis,surprisingly my application able to send the data to devices with out any issues but if I stops wire-shark and again run the application it is not able to send the data.

can any body tell me what modifications wire-shark is doing to PC to allow the data to transfer?

asked 18 Mar '15, 12:42

lav's gravatar image

lav
6114
accept rate: 0%


If you select the option Wireshark installs WinPcap, a driver to support capturing packets.

Update the NIC driver and reset TCP/IP using:

> netsh winsock reset catalog

> netsh int ip reset reset.txt

Restart the pc.

It will solve your problem but also remove any entries written by your security software. If you have the time, do a fresh install of Win 7 without any 3rd party software and install them one by one until you find the software that is causing the issue.

permanent link

answered 19 Mar '15, 01:42

Roland's gravatar image

Roland
7642415
accept rate: 13%

edited 19 Mar '15, 01:43

Hi Roland, Thanks for your reply I will try this and let you know the status. But still I am not clear why it is working when Wireshark is running?Do you have any information on that.

(19 Mar '15, 11:09) lav

Did you try my suggestions? When winpcap is installed it bypasses the os protocol stack. Search for winpcap internals if you want to find out more.

(22 Mar '15, 05:41) Roland

Roland,I tried your sugesstions but still no luck.

(01 Apr '15, 10:03) lav

Then the way forward is to do a fresh install of Windows without any 3rd party software.

(15 Apr '15, 07:11) Roland

@Roland,

You stated that "When winpcap is installed it bypasses the os protocol stack", but WinPCap is a filter driver that "taps" data traversing the OS stack, it should not interfere with that data, or the processing of it by other elements of the stack. If it did, then lots of applications would fail to work when it's installed, which isn't the case.

In this case the application did NOT work on Win 7 until the OP installed Wireshark and started a capture. This implies some config issue for the host\application\client that was overcome when making a capture, I still think promiscuous mode is the most likely suspect.

(15 Apr '15, 07:24) grahamb ♦

@grahamb,

My statement is based on this link. Maybe I misinterpreted the diagram. lav can confirm if he used promiscous mode, but from what I understood he didn't and the problem is the sending of packets from the host, not towards it. I believe it is a host issue and the prettiest solution is to do a clean install of Windows.

(15 Apr '15, 10:34) Roland

The diagram in the link shows how a WinPCap application communicates with the NPF driver to receive (and send) data through the NIC. All other applications using the NIC are (hopefully) unaffected by the NPF driver.

Promiscuous mode is on by default (in Wireshark), and there have been other questions where running a capture caused an app to work that in the end were determined to be down to promiscuous mode enabling the receipt of packets that would normally have been dropped.

Until @lav reports back on whether turning promiscuous mode off affects anything, we won't know. Posting the capture made while the application is running would also be handy.

(15 Apr '15, 14:48) grahamb ♦

Thanks for explaining the diagram.

(15 Apr '15, 14:59) Roland

@Roland I tried fresh installation of win 7 with out any third party software's and disabled all the security features but still i have same problem

(01 Jun '15, 12:42) lav

@grahamb as you said if I turn off promiscuous mode my application is not working .I tried to enable promiscuous mode for my 85279LM NIC as said in the following URL http://www.intel.com/support/network/sb/cs-005897.htm but still my application is not working

(01 Jun '15, 12:49) lav
showing 5 of 10 show 5 more comments

You say things change "when Wireshark is running". Do you mean making a capture or just viewing a capture? If when making a capture then possibly it might be because the capture interface is set to promiscuous mode.

permanent link

answered 19 Mar '15, 13:51

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Hi Graham,I mean when I am making a capture with wireshark my application also able to send data to devices.

I didn't get your point why capturing in promiscuous mode will allow my application to transfer data fine on Win 7.

(21 Mar '15, 18:18) lav
1

Apart from enabling WinPCap to transfer data frames to a user application (such as Wireshark) the other thing that changes is that the interface you are capturing on is (usually) set to promiscuous mode. That's enabled by the checkbox "Use promiscuous mode on all interfaces" on the Capture Options dialog and by the "Capture packets in promiscuous mode" checkbox on each individual Edit Interfaces settings dialog.

Promiscuous mode means that all packets passing by the interface are captured, not just those "addressed" to the interface (either uni- or multi-cast).

Try turning off promiscuous mode when capturing and see if your application then works correctly.

(23 Mar '15, 11:38) grahamb ♦

I will try promiscuous mode turn off to check whether my application still communicate good or not.

(17 Apr '15, 12:11) lav

Hi Graham,

Promiscuous mode is what makes my application works fine.Is there any work around to make it work with out using wire shark in promiscuous mode

(17 Jun '15, 12:45) lav

Posting a link to a capture file will give us the actual info, so I'm just guessing here. Some more details on what protocol you are using would be helpful.

It seems odd that you can't "send" without promiscuous mode being on, normally promiscuous mode affects reception, what do you mean by "send"? Maybe your application expects a response from the "send" to confirm it was sent and the response isn't being received because it's addressed to some other host and only by enabling promiscuous mode does it allow your PC to receive it.

(17 Jun '15, 15:05) grahamb ♦

@grahamb can you give me your mail id to send the capture files.I am not comfortable to post it public

(18 Jun '15, 10:09) lav

You can see my email address in Wireshark -> Help -> About -> Authors, usually 1 click of the scroll bar down.

(18 Jun '15, 12:07) grahamb ♦

@grahamb I had sent capture files to your mail.Please have a look at them

(26 Jun '15, 05:05) lav

Hi Graham,do you have a chance to look in to log files I sent

(03 Jul '15, 18:31) lav

Been a bit busy with SharkFest, but hopefully this weekend.

(03 Jul '15, 20:22) grahamb ♦

okay Thanks Graham

(06 Jul '15, 06:40) lav

Investigation of the captures provided privately by @lav showed that the ftp data transfers were causing ICMP "Fragmentation Needed" responses due to the IP "Don't Fragment" flag being set, but the ICMP responses were addressed to MAC address 00:00:00:00:00:02.

This wasn't the MAC address of the originator of the too-big packets,so with promisc mode off, the ICMP message was discarded and the sender continued with the "Don't Fragment" flag set and failed to get any response.

With promisc mode on, the ICMP message was received and the ftp data retransmitted with the "Don't Fragment" flag cleared.

(28 Jul '15, 09:19) grahamb ♦
showing 5 of 12 show 7 more comments

Typically, when an application "works" when Wireshark is running, the issue is related to the use of IP multicast by the application.

IP multicast has mechanisms to enable certain IP multicast packets to be accepted by the NIC and processed by the OS. If these mechanisms aren't working for some reason, then setting the NIC to promiscuous (as Wireshark does) allows all packets to be accepted by the NIC to be available for processing by the OS.

A web search for "windows xp 7 multicast" shows some hits which may be relevant.

A web search as to how IP multicast works may also be helpful.

permanent link

answered 17 Jun '15, 17:31

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×6
×4

question asked: 18 Mar '15, 12:42

question was seen: 1,948 times

last updated: 28 Jul '15, 09:19

p​o​w​e​r​e​d by O​S​Q​A