This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I stop Windows 7 from sending packets on an interface while I’m capturing on it?

0
1

I have my PC connected to a CISCO switch port with the port in SPAN - However I see some traffic initiated by the PC. these appear to be broadcasts of Netbios name resolutions I tried changing the binding on the port and removed all protocols - that shuts the port down and I can not use it for capture. I happen to have Airmagnet software installed on this PC and binding it just to that does appear to work.
Is there a way on windows to keep the port up but not have it used for anything so I can see only traffic initiated from elsewhere? For example a "Wireshark capture protocol" that can be selected for the port? TIA Ross

asked 13 Sep '16, 15:37

rjwilson01's gravatar image

rjwilson01
6234
accept rate: 0%

edited 13 Sep '16, 18:56

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

I operate in this manner all the time with my WindowsXP, Windows7, and Windows8.1 OSs. I deselect all the bindings and then can only receive traffic, which it does. I recommend this to my colleagues when they have a dedicated wired sniffing adapter. This works with Linux as well if I zero out the IP address.

Except for the (hopefully) minor inconvenience of having to discard that traffic once capture is there any other problem? Cisco SPAN, by default, does not pass ingress traffic on a span port destination so I would think it would not be affecting the network proper due to it's presence.

Default Config: Ingress forwarding (destination port) Disabled

What OS are you on?

(14 Sep '16, 02:37) Bob Jones
1

I see you are on Windows7 - didn't read the title. I know our corporate policy is that when a wired link is available WiFi turns off. This isn't the same thing as that is controlled by the BIOS in the Dell's we use but could there be some group policy or something blocking the traffic? Or maybe anti-virus/firewall?

(14 Sep '16, 04:03) Bob Jones

2 Answers:

0

In the adapter settings, uncheck IPv4 and IPv6. This will disable the stacks and prevent TX on the adapter.

answered 14 Sep '16, 17:32

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

0

Thnaks - after a lot of fiddling - What I am seeing appears to be a feature of Cisco's Anyconnect VPN software With the Cisco software installed If I un-link all protocols - the adapter gets disabled and Wire-shark cannot use it On a very similar machine (same base build image ) but without the Cisco's any-connect added what you described works and I can unlink all protocols and the card does not get disabled.

answered 08 Oct '16, 22:54

rjwilson01's gravatar image

rjwilson01
6234
accept rate: 0%