This is our old Q&A Site. Please post any new questions and answers at

I have my PC connected to a CISCO switch port with the port in SPAN - However I see some traffic initiated by the PC. these appear to be broadcasts of Netbios name resolutions I tried changing the binding on the port and removed all protocols - that shuts the port down and I can not use it for capture. I happen to have Airmagnet software installed on this PC and binding it just to that does appear to work.
Is there a way on windows to keep the port up but not have it used for anything so I can see only traffic initiated from elsewhere? For example a "Wireshark capture protocol" that can be selected for the port? TIA Ross

asked 13 Sep '16, 15:37

rjwilson01's gravatar image

accept rate: 0%

edited 13 Sep '16, 18:56

Guy%20Harris's gravatar image

Guy Harris ♦♦

I operate in this manner all the time with my WindowsXP, Windows7, and Windows8.1 OSs. I deselect all the bindings and then can only receive traffic, which it does. I recommend this to my colleagues when they have a dedicated wired sniffing adapter. This works with Linux as well if I zero out the IP address.

Except for the (hopefully) minor inconvenience of having to discard that traffic once capture is there any other problem? Cisco SPAN, by default, does not pass ingress traffic on a span port destination so I would think it would not be affecting the network proper due to it's presence.

Default Config: Ingress forwarding (destination port) Disabled

What OS are you on?

(14 Sep '16, 02:37) Bob Jones

I see you are on Windows7 - didn't read the title. I know our corporate policy is that when a wired link is available WiFi turns off. This isn't the same thing as that is controlled by the BIOS in the Dell's we use but could there be some group policy or something blocking the traffic? Or maybe anti-virus/firewall?

(14 Sep '16, 04:03) Bob Jones

In the adapter settings, uncheck IPv4 and IPv6. This will disable the stacks and prevent TX on the adapter.

permanent link

answered 14 Sep '16, 17:32

Rooster_50's gravatar image

accept rate: 15%

Thnaks - after a lot of fiddling - What I am seeing appears to be a feature of Cisco's Anyconnect VPN software With the Cisco software installed If I un-link all protocols - the adapter gets disabled and Wire-shark cannot use it On a very similar machine (same base build image ) but without the Cisco's any-connect added what you described works and I can unlink all protocols and the card does not get disabled.

permanent link

answered 08 Oct '16, 22:54

rjwilson01's gravatar image

accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 13 Sep '16, 15:37

question was seen: 2,109 times

last updated: 08 Oct '16, 22:54

p​o​w​e​r​e​d by O​S​Q​A