Hi, I have a windows 7 laptop connected wireless to the network. On this laptop I try to capture Multicast DNS traffic comming from the network, but I never receive any MDNS packets. I do see the MDNS packets send by the laptop. I also monitor with the AirPCAP tool and there I do see that the AP is sending out the MDNS packets. I hope to find out why this is not showing in the wireshark trace on the laptop? Laptop info: Wireshark version:1.12.8 Windows 2007 professional Intel(R) Centrino(R) Advanced-N 6205 asked 20 Nov '15, 04:25  BartS |
One Answer:
Could be some kind of security software on the capturing device that filters MDNS traffic. Please disable that kind of software if it's installed on the capturing system, like: AV, IPS/IDS, Endpoint Control, VPN clients, etc. See my answer to a similar problem, although yours is different.
Regards answered 25 Nov '15, 09:30  Kurt Knochner ♦ As a test I also tried the same on a our Lab PC that is also Windows 7 with Firewall and AV disabled. this also gives the same result. Still have to test the removal of some vpn adapters that are active on both test system. (25 Nov '15, 13:40) BartS Is this an open wifi network or do you have to decrypt it in Wireshark? (25 Nov '15, 13:48) Kurt Knochner ♦ This is a WPA2/AES network I am connected to. Done some additional troubleshooting, and removed the vpn interfaces as well. => still no improvement. Solution=> just installed a Linux laptop with Wireshark on it. Now I see all the MDNS traffic. This gives me some trust issues with the captures I am taking on my windows laptop. (27 Nov '15, 03:56) BartS
O.K. then I guess it's related to some software on your Windows system.
Well, yes. Capturing should be done on a 'trusted' system, known to work. What you can do is to run Kali Linux (or any other distribution) from a USB flash drive. Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up). (27 Nov '15, 08:17) Kurt Knochner ♦ |
Do you see other Multicast/Broadcast traffic while you are capturing on your wifi interface on Windows (without using AirPcap)?
I do see other broadcast and multicast traffic arriving at the interface.
Is this an open wifi network or encrypted? Can you provide a capture file (upload to dropbox and post link here).
I also tried the same thing with Tshark, but also there I am not seeing any MDNS packets. Could it be that Windows is filtering those packets out before it can be used by WinPCAP?