This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a problem similar (if not identical) to https://ask.wireshark.org/questions/22194/dhcp-broadcast-packets-not-displayed . I am capturing packets from a Cisco SPAN port and watching a MacBook Pro perform a Netboot (BSDP, Apple's version of PXE booting).

I have Wireshark Version 1.12.4 (v1.12.4-0-gb4861da from master-1.12) on Windows 7 64 bit, with WinPcap 4.1.3.

If I perform the capture using a Linux box with tcpdump (a simple "tcpdump -i eth0 -s 0 -w mac-bsdp.pcap ether host d4:9a:20:xx:xx:xx") the full DHCP DORA is visible in the resulting file when read into Wireshark on Windows.

If I attempt to capture directly on the Windows box however, the DHCP Discover and Request packets do not appear to ever be captured. Other broadcasts from the device (ARPs for example) are captured.

I am not sure where to go next to troubleshoot the problem from here. I understood that WinPcap is lower in the network stack than most (all?) of the things suggested in the previous posting (VPN clients, AV, Firewalls, etc), and so turning them on or off I would think would not impact Wireshark's capture.

Any ideas?

asked 29 Apr '15, 15:14

augustineas's gravatar image

augustineas
6115
accept rate: 100%

edited 05 May '15, 15:48


Well, it appears you are correct, at least in part. I tried disabling the three most likely culprits, "VirtualBox Bridged Networking Driver", "Cisco AnyConnect Network Access Filter Driver", and "Sophos Client Firewall NDIS packet filter", and sure enough it started capturing properly.

However, in order to determine which one was the actual culprit, I enabled them one by one. The captures continued to work properly after enabling each one. So now they are all re-enabled, and it still appears to capture properly.

Clearly something was not working properly in the stack, and disabling and re-enabling those features fixed it. All without a reboot.

Very strange.

permanent link

answered 04 May '15, 13:28

augustineas's gravatar image

augustineas
6115
accept rate: 100%

(VPN clients, VA, Firewalls, etc), and so turning them on or off I would think would not impact Wirehair's capture.

That's not necessarily the case, at least you can't tell for sure unless you know exactly where every piece of security software hooks itself into the TCP/IP stack.

Did you try to eliminate all security/network related software packages on your Windows system? If no: please do so, as that's the most likely reason for the effect you are seeing.

Regards
Kurt

permanent link

answered 30 Apr '15, 07:38

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

So now they are all re-enabled, and it still appears to capture properly.

The order in which each product has been "inserted" into the stack might have an influence on this as well...

(04 May '15, 13:56) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×49
×44
×1

question asked: 29 Apr '15, 15:14

question was seen: 4,625 times

last updated: 05 May '15, 15:53

p​o​w​e​r​e​d by O​S​Q​A