Ask Your Question
0

Wireshark sees UDP data, application does not

asked 2019-07-24 17:40:41 +0000

Rich G. gravatar image

I have a couple devices sending UDP messages to each other. When I connect my PC running Win 10 to their network, I can see the messages via WireShark. When I run a program to parse the messages, it's not seeing the messages. I tried on two different PC's running Win 10 and neither of them see the data.

I've disabled every firewall I can think of. I've given permission to the parsing program to have access through any firewalls. I've created a rule to allow ALL UDP messages through the firewall. I'm not using Norton. I've disabled all other network adapters except the one being used.

I've also tried using a different program. I tried UDP Send/Receive in Receive mode only. It does not see anything.

When I run the parsing program on a PC running Windows XP, it works fine.

What else is there to check in Win 10 that might be preventing applications from getting UDP messages?

edit retag flag offensive close merge delete

Comments

Can you describe your capture setup in more detail. How are the devices connected and where does your PC fit in? Is there a switch or hub involved?

grahamb gravatar imagegrahamb ( 2019-07-24 17:50:21 +0000 )edit

There are two custom devices, Call them Box A and Box B. They communicate to each other via Multicast messages through a managed switch. My PC connects to the same managed switch. All three devices are on the same network. I can ping Box A and B from my PC.

I bring up Wireshark and can see all the relevant UDP messages as expected.

The Windows XP PC that worked was connected to the same port on the managed switch as the Win 10 PC. All I did was move the cable from one PC to the other.

Rich G. gravatar imageRich G. ( 2019-07-24 18:09:05 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-24 20:19:41 +0000

SYN-bit gravatar image

The "UDP Send/Receive" program you mentioned is a program that can send and receive UDP unicast packets. To be able to receive multicast packets, a program must do either of:

  • Subscribe to the multicast group, this way Windows can tell the NIC to forward the multicast packets to the OS and then the OS can forward them to the application (in this case your application takes part as an endpoint in the multicast setup)
  • Capture packets of the wire using the WinPcap/Npcap library. It then needs to enable promiscuous mode on the NIC in order for it to send all the multicast traffic to the OS, even though no program subscribed to the multicast groups. (in this case your application is eavesdropping on the multicast group, just like Wireshark does)

Since Wireshark by default enables "Promiscuous mode" on a NIC that it starts capturing on, it will see the packets. Can Wireshark on your PC still see the UDP traffic when you disable "Promiscuous mode" in the Capture options before you start the capture?

edit flag offensive delete link more

Comments

When I disable Promiscuous Mode, I see one defined message from Box A and one from Box B. With Promiscuous Mode enabled I see seven defined messages from Box A and one from Box B. Each defined message has it's own Multicast Address. New development... I mentioned above that I disabled ALL other network adapters. In reality I must have missed a few. I had some Loopback adapters still enabled. When I disable those (Specifically, VirtualBox Host-Only and Microsoft KM-TEST Loopback Adapter) then the Parsing Program sees the messages. For some reason the program appears to be giving precedence to the Loopback Adapters. Is there a specific setting that should be used by the Parsing Program when it starts up so it looks at the right network?

Rich G. gravatar imageRich G. ( 2019-07-26 17:42:12 +0000 )edit

I assume your Parsing Program uses WinPcap or Npcap? If so, you can set the interface to do the capturing on (just like Wireshark does). Please read the documentation of these libraries on how to select the proper interface, as I do not have (much) experience with using these libraries directly.

SYN-bit gravatar imageSYN-bit ( 2019-08-13 05:20:13 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-07-24 17:40:41 +0000

Seen: 5,898 times

Last updated: Jul 24 '19

Related questions

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

My UDP packets aren't showing

Monitoring UDP data on wireshark shows ARP packet

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?

What is the udp.length display filter actually for?

IO Graph: Plot ICMP response time

How do i export RTP-UDP(UNICAST and MULTICAST Stream to a VLC Playable-file

Broken save and copy function in Statistics/UDP Multicast Streams