no ICMP packets detected on WiFi Adapter but ok on ethe adapter ?

asked 2020-09-21 22:11:40 +0000 gravatar image

Practicing lab 11 - Cap filter to/from IP4 : host on Ethe traces then Cap. Filter On Wifi adapter IP4 : traces.

Then run: ping for each (eth. and then Wifi adapter) cap. files .... When opening and looking/displaying for ICMP packets in traces for each adapter:

I see ICMP packet requests and ping replies Ok. - for Ethe adapter cap. But I don't see ICMP packets ...when Open Wifi Adapter trace with pings... Why Not?

I Checked Network adapter on both ethe, WIfi properties but not sure what to modify?. Any Help appreciated. Sarkis

edit retag flag offensive close merge delete


When making a capture, are you disabling the other interface (the one not being captured on)?
Have you looked at netstat -nr to see what default gateway entries are in the route table?

Chuckc gravatar imageChuckc ( 2020-09-21 22:53:06 +0000 )edit

Thanks Chuck, Yes both ethe. and Wifi adapters have same Gwy - in My case see below:

C:\Users\skara>netstat -nr
Interface List
  8...00 ff 2f 2b ce 8f ......Symantec TAP Driver (Ethe2) -r Used by Norton TAP ( but No Idea now) 
  5...3c 18 a0 0d 7b 62 ......Lenovo USB Ethernet (Ethe4)
 17...a4 c3 f0 72 51 ec ......Microsoft Wi-Fi Direct Virtual Adapter #3
 20...a6 c3 f0 72 51 eb ......Microsoft Wi-Fi Direct Virtual Adapter #4
 10...a4 c3 f0 72 51 eb ......Intel(R) Wireless-AC 9560 160MHz (Wifi Adaptr)
  1...........................Software Loopback Interface 1

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric     25  ---(USB-to-Ethe 4)     40 --- (Wifi adptr)         On-link         127.0 ...
(more) gravatar image[email protected] ( 2020-09-22 04:11:21 +0000 )edit

Unfortunately your comment got the end chopped off when I formatted it. also your routing table list seems to be scrambled, could you edit it and try again. Note the Ctrl+K formatting option for fixed width output.

What I think is happening is that by default the ping will go out the Ethernet interface as it has a lower interface metric value. When you disable that interface then the pings can go out the WiFi interface. This is because both interfaces are using the same subnet, so the interface metric controls which interface packets will go out.

grahamb gravatar imagegrahamb ( 2020-09-22 08:12:00 +0000 )edit

So try capturing on the Ethernet and the Wi-Fi at the same time (Wireshark allows capturing on more than one interface simultaneously), and do a ping. If the pings show up, but on the Ethernet interface, @grahamb's explanation would appear to be correct.

Guy Harris gravatar imageGuy Harris ( 2020-09-22 17:43:13 +0000 )edit

Thanks again Chuck... Yes, after disabling Ethe. interface now I can see ICMP packets on Captured on the WiFi adapter/Interface. Sark gravatar image[email protected] ( 2020-09-22 22:42:27 +0000 )edit