Ask Your Question
0

Wireshark not showing unicast packet when it was started when the interface is down

asked 2025-10-09 16:47:05 +0000

dino12345 gravatar image

updated 2025-10-09 20:08:41 +0000

Hello All, I am trying to debug an issue, where i am monitoring my ethernet interface which is connected to a switch, which is a mirror port, ie there will frames coming with destination as not my PC MAC address/IP address. I want to capture all the frame coming out of the switch one its powered on. When i connect my windows 11 laptop with the native ethernet port, I do not see any unicast packet not destined to me showing on the Wireshark which is send from the mirrored port of the switch

When i restart the Wireshark again after this i can see all the packets

Seems like when the ethernet interface is down and Wireshark is started, the promiscuous mode is not set it seems.

Is there any solutions to this ? or something else happening ?

edit retag flag offensive close merge delete

Comments

This doesn't happen with a USB to Ethernet adaptor

dino12345 gravatar imagedino12345 ( 2025-10-09 16:50:04 +0000 )edit

What does the Wireshark version information report? Help -> About should show you version information; copy and paste that to a comment in this question.

Guy Harris gravatar imageGuy Harris ( 2025-10-09 17:32:18 +0000 )edit
Version 4.4.3 (v4.4.3-0-g66d7a52feb06).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.78.4, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.11.7, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 11 (24H2), build 26100, with 13th Gen Intel(R)
Core(TM) i7-13850HX (with SSE4.2), with 32402 MB of physical memory, with GLib
2.78.4, with Qt 6.5.3 ...
(more)
dino12345 gravatar imagedino12345 ( 2025-10-09 17:37:21 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-10-09 19:24:34 +0000

Chuckc gravatar image

with Npcap version 1.79

The timing for the 1.79 release (https://github.com/nmap/npcap/releases) is very close to when this was fixed:
Npcap 1.71 and later: unable to obtain DHCP lease when adapter is removed and restored #710

Updates for npcap available here: https://npcap.com/

edit flag offensive delete link more

Comments

are u trying to say that with latest version its should be fixed ? reading the above link doesn't seems to be same issue. Anyway, installed npcap 1.84 and still problem is there

dino12345 gravatar imagedino12345 ( 2025-10-09 19:53:21 +0000 )edit

The issue was for wireless but seemed similar and worth the update.
You can also open a npcap issue (https://github.com/nmap/npcap/issues/) for more, different eyes looking at the problem.

Chuckc gravatar imageChuckc ( 2025-10-09 20:08:57 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2025-10-09 16:47:05 +0000

Seen: 16 times

Last updated: 1 hour ago