I have a problem similar (if not identical) to https://ask.wireshark.org/questions/22194/dhcp-broadcast-packets-not-displayed . I am capturing packets from a Cisco SPAN port and watching a MacBook Pro perform a Netboot (BSDP, Apple's version of PXE booting).
I have Wireshark Version 1.12.4 (v1.12.4-0-gb4861da from master-1.12) on Windows 7 64 bit, with WinPcap 4.1.3.
If I perform the capture using a Linux box with tcpdump (a simple "tcpdump -i eth0 -s 0 -w mac-bsdp.pcap ether host d4:9a:20:xx:xx:xx") the full DHCP DORA is visible in the resulting file when read into Wireshark on Windows.
If I attempt to capture directly on the Windows box however, the DHCP Discover and Request packets do not appear to ever be captured. Other broadcasts from the device (ARPs for example) are captured.
I am not sure where to go next to troubleshoot the problem from here. I understood that WinPcap is lower in the network stack than most (all?) of the things suggested in the previous posting (VPN clients, AV, Firewalls, etc), and so turning them on or off I would think would not impact Wireshark's capture.
asked 29 Apr '15, 15:14
edited 05 May '15, 15:48
Well, it appears you are correct, at least in part. I tried disabling the three most likely culprits, "VirtualBox Bridged Networking Driver", "Cisco AnyConnect Network Access Filter Driver", and "Sophos Client Firewall NDIS packet filter", and sure enough it started capturing properly.
However, in order to determine which one was the actual culprit, I enabled them one by one. The captures continued to work properly after enabling each one. So now they are all re-enabled, and it still appears to capture properly.
Clearly something was not working properly in the stack, and disabling and re-enabling those features fixed it. All without a reboot.
answered 04 May '15, 13:28
That's not necessarily the case, at least you can't tell for sure unless you know exactly where every piece of security software hooks itself into the TCP/IP stack.
Did you try to eliminate all security/network related software packages on your Windows system? If no: please do so, as that's the most likely reason for the effect you are seeing.
answered 30 Apr '15, 07:38
Kurt Knochner ♦