Ask Your Question

Missed first packets after reconnect

asked 2022-11-17 09:36:11 +0000

maweh gravatar image


I currentlly have an issue using wireshark (4.0-1) on windows (21H2 Build 19044.2130). I have a device that sends some dhcp discover messages once it is powered and a physical connection is established. The send out is done after 1 seconds, 2 seconds and 4 seconds.

Related to the hardware setup, it looks like wireshark (or the OS, driver stack...) needs some time to startup.

Setup 1: Device <-> Switch <-> Host Wireshark running on the host can capture all dhcp packets

Setup 2: Device <-> Host Wireshark can not caputre all packets. The packets send in the first ~4 seconds are not captured. The last dhcp packet is captured most of the time.

I assume that it needs some time for the OS to setup the driver stack and other things after the network card established the physical connection including autonegotiation and thinks like that.

E.g. the windows "Network and Sharing Center" lists the connection also after some delay. In the moment the connection is listed, wireshark captures the first packets.

I know it looks more like an "windows issue". But are there any tipps or tricks how windows or wireshark should be configured to reduce the delay between establishing a connectection and capturing/providing the first packets?

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2022-11-18 21:42:52 +0000

André gravatar image

Of course the best way to capture initial network activity is from outside the device, using a tap or a monitor port on a switch.

Regarding Windows:
Windows has a build in tool 'netsh trace' that allows to start capturing as soon as an interface starts up. Thus capturing the OS's first DHCP or ARP requests on that interface and incoming traffic.

See also the answer to a similar question: Is there a way for wireshark to start upon computer startup

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2022-11-17 09:36:11 +0000

Seen: 134 times

Last updated: Nov 18 '22