This is our old Q&A Site. Please post any new questions and answers at

Been having an issue on my network for a few days and can't quite seem to figure out the issue here. In a nutshell, from my cable modem I have an outer router, switch and an inner router. All hosts connect to the inner router and all traffic flows out through the outer router. The 5-port switch is technically a hardwired TAP, (everything ingressing/degressing) on port 1 (plugged to the outer router) is mirrored on port 5 (where I have an IDS). Running Wireshark on the IDS and pulling up websites I can see 3-way handshakes, ARP, IGMP, etc traffic all day long. I can also see traffic from hosts (connected to the inner router) outbound. The only thing I don't see is most of the return traffic from the other hosts on the network. For instance, host connects to a website, on the IDS using Wireshark I see the typical SYN packet but no return SYN-ACK/ACK. The host connects fine and I can surf all day long. If I ping my outer router from the same host I see the outbound ICMP traffic, but no return ICMP traffic from the IDS.
2 main things that are not jiving here is that I have SNORT running on the IDS rig and it is alerting off of inbound and outbound traffic with no issues. Also, I run Microsoft's Network Monitor 3.4 and it picks up all the traffic I don't see in Wireshark - meaning I can see the 3-way handshake when connecting to websites with other hosts. If I run TShark and WinDump - I am also NOT able to capture all of the packets. I find it hard to believe that I have three programs that are not able to capture all packets on the wire but the Microsoft's app does? Love the tool but I would prefer Wireshark. Perhaps I am having an issue with my NIC not compatible with the other programs. I am running a Realtek RTL 8168;

Help me Obi-Wan Kenobi .... you're my only hope!

asked 25 Mar '12, 19:15

DigitalSyn's gravatar image

accept rate: 33%

Can I answer my own question?

Anyways for everyone\anyone interested in the solution that I came up. Apparently the issue lies within Win 7 X64 and in the deep abyss of how it handles its NIC card drivers and associated applications (at least on all of my hosts as every one of them is running Win 7 x64). I did not get to the actual root of the problem (I could have loaded a customized driver and I did not try another version of Microsoft); I went ahead and scrapped the OS and loaded Ubuntu 12.04 and everything is coming up gloriously.

All I have to do now is return $300 worth of networking equipment I thought was the culprit.

Thanks everyone for taking the time to read.

permanent link

answered 01 Oct '12, 16:30

DigitalSyn's gravatar image

accept rate: 33%

What you didn't report is which version of Wireshark you were using, and whether it was 32 or 64 bit. As noted elsewhere on a similar question, I and many colleagues capture on Win7 x64 using the 32 bit version of Wireshark (1.6.x, 1.8.x and dev trunk) without any issues.

(01 Oct '12, 23:49) grahamb ♦

That is good to know grahamb, I was running Wireshark x64 (1.8.2) on my hosts at the time.

(02 Oct '12, 12:00) DigitalSyn

Might there be some interfering software installed on the IDS box? VPN client, Personal FW, AV software, etc? Please have a look at the wireshark wiki

permanent link

answered 26 Mar '12, 12:55

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

Thanks SYN-bit for the post. I thought the same thing as well but I am running nothing out of the ordinary on the IDS box. It's a very basic load; also I have Ubuntu installed on the IDS box and when I run Wireshark it is not able to pick up any return traffic either.

(28 Mar '12, 06:24) DigitalSyn

Were you running MS Netmon on the same box in a different partition? Or on another box on the same switchport?

I assume you are running the captures without any capture filters?

(28 Mar '12, 12:37) SYN-bit ♦♦

Running MS NETMON on the same rig but different partition - I think I see where you are going with this. Perhaps swap in a different rig - I haven't tried that yet and will see what the results are.

And Yes I am running Wireshark without any capture filters and after a fresh clean install.

Thank you and will update shortly.

(29 Mar '12, 09:21) DigitalSyn

My apologies for the long delay - was out on a family vacation and never finished my troubleshooting.

Recently, I disconnected my IDS rig and plugged the network cable into a new system. Running Wireshark again on that new system I am unable to see return SYN-ACKs or the ACKs; just the SYNs from internal to external. Checking ICMP traffic I am still only able to see outgoing traffic, nothing coming back even though the host is receiving those packets.

(08 Apr '12, 15:46) DigitalSyn

My only option is to start playing around with the TAP, maybe something is not working correctly. It just bothers me that MS NETMON is able to see all the traffic, including the SYN-ACKs and ACKs but no other program. With MS NETMON working as it should, logic tells me that the TAP is working as it should too.

Where is that "EASY" button ....

(08 Apr '12, 15:46) DigitalSyn

Could you capture for a short while with Netmon and also with Wireshark (pinging the same system) and post them to You can then paste the two URL's in a comment.

(08 Apr '12, 16:55) SYN-bit ♦♦

SYN-bit, my sincere apologies again. I didn't see the 'Show All" comment button below my comments until tonight. Thanks for sticking with me on this ..... SYN-adventure. Here are the links - first one is from Wireshark and the second is from MS NETMON. Both turned on about 3 secs apart around the same time. The focus is on host; after a clean load of Win7 on the host I simply opened Firefox to google; afterwards I ran CMD and pinged; see the difference in the two?

(11 Apr '12, 19:50) DigitalSyn

Captures were done on the IDS rig looking at my network; as a recap here is my network setup.

CableModem --> Router1 --> Switch --> Router 2

Host: 192.168.778 is hanging off of Router 2

IDS: is hanging off the switch which is a Dualcomm DCGS-2005L. Router 1 is plugged into port 1 of the switch, port 2 goes to Router 2 and the IDS is off of port 5. Port 1 is mirrored to port 5.

(11 Apr '12, 19:55) DigitalSyn

Still no luck with my issue. I went ahead and replaced all of the network cables (just out of curisoity) and started to test other devices in lieu of my Dualcomm switch. I recently inserted a TAP in place of the Switch and again could only see outbound traffic, nothing inbound. I moved away from sitting in between the two routers and started sniffing between the cable modem and router 1 with the same results. I even brought in a third system using Wireshark and I still have the issue. I'm wondering if maybe my Outside Router is stripping off some of traffic information somehow?

(17 Apr '12, 10:15) DigitalSyn

I have recently put in for a manageable switch and a new Router and will see how this changes things up.

(17 Apr '12, 10:19) DigitalSyn

Bringing sexy back -

After all of these months I am still having the same issue. I have completely scrapped my entire network with new devices, ran Wireshark on multiple hosts and I still can't seem to find the issue. I have replaced the tap twice and I still see the same issue. I went basic and ran 3 hosts on my old tap and new tap with no routers involved and using static IPs. The monitoring host using Wireshark could only pick up half of the traffic while Microsoft NETMON picked up all of the traffic on all three hosts.

What am I doing wrong here?

(26 Sep '12, 14:34) DigitalSyn
showing 5 of 11 show 6 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 25 Mar '12, 19:15

question was seen: 6,844 times

last updated: 02 Oct '12, 12:00

p​o​w​e​r​e​d by O​S​Q​A