This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

received Multicast DNS not showing in Wireshark

0

Hi,

I have a windows 7 laptop connected wireless to the network. On this laptop I try to capture Multicast DNS traffic comming from the network, but I never receive any MDNS packets.

I do see the MDNS packets send by the laptop.

I also monitor with the AirPCAP tool and there I do see that the AP is sending out the MDNS packets.

I hope to find out why this is not showing in the wireshark trace on the laptop?

Laptop info: Wireshark version:1.12.8 Windows 2007 professional Intel(R) Centrino(R) Advanced-N 6205

asked 20 Nov '15, 04:25

BartS's gravatar image

BartS
6112
accept rate: 0%

Do you see other Multicast/Broadcast traffic while you are capturing on your wifi interface on Windows (without using AirPcap)?

(20 Nov '15, 04:38) Kurt Knochner ♦

I do see other broadcast and multicast traffic arriving at the interface.

(25 Nov '15, 00:24) BartS

Is this an open wifi network or encrypted? Can you provide a capture file (upload to dropbox and post link here).

(25 Nov '15, 00:57) Kurt Knochner ♦

I also tried the same thing with Tshark, but also there I am not seeing any MDNS packets. Could it be that Windows is filtering those packets out before it can be used by WinPCAP?

(25 Nov '15, 01:57) BartS

One Answer:

1

Could it be that Windows is filtering those packets out before it can be used by WinPCAP?

Could be some kind of security software on the capturing device that filters MDNS traffic. Please disable that kind of software if it's installed on the capturing system, like: AV, IPS/IDS, Endpoint Control, VPN clients, etc.

See my answer to a similar problem, although yours is different.

https://ask.wireshark.org/questions/28909/no-outgoing-packets

Regards
Kurt

answered 25 Nov '15, 09:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

As a test I also tried the same on a our Lab PC that is also Windows 7 with Firewall and AV disabled. this also gives the same result.

Still have to test the removal of some vpn adapters that are active on both test system.

(25 Nov '15, 13:40) BartS

Is this an open wifi network or do you have to decrypt it in Wireshark?

(25 Nov '15, 13:48) Kurt Knochner ♦

This is a WPA2/AES network I am connected to.

Done some additional troubleshooting, and removed the vpn interfaces as well. => still no improvement. Solution=> just installed a Linux laptop with Wireshark on it. Now I see all the MDNS traffic.

This gives me some trust issues with the captures I am taking on my windows laptop.

(27 Nov '15, 03:56) BartS

just installed a Linux laptop with Wireshark on it. Now I see all the MDNS traffic.

O.K. then I guess it's related to some software on your Windows system.

This gives me some trust issues with the captures I am taking on my windows laptop.

Well, yes. Capturing should be done on a 'trusted' system, known to work. What you can do is to run Kali Linux (or any other distribution) from a USB flash drive.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(27 Nov '15, 08:17) Kurt Knochner ♦