Wireshark not showing unicast packet when it was started when the interface is down

asked 2025-10-09 16:47:05 +0000

updated 2025-10-10 14:50:28 +0000

Hello All, I am trying to debug an issue, where i am monitoring my ethernet interface which is connected to a switch, which is a mirror port, ie there will frames coming with destination as not my PC MAC address/IP address. I want to capture all the frame coming out of the switch one its powered on. When i connect my windows 11 laptop with the native ethernet port, I do not see any unicast packet not destined to me showing on the Wireshark which is send from the mirrored port of the switch

When i restart the Wireshark again after this i can see all the packets

Seems like when the ethernet interface is down and Wireshark is started, the promiscuous mode is not set it seems.

This doesn't happen with a USB to Ethernet adaptor

Is there any solutions to this ? or something else happening ?

edit retag flag offensive close merge delete

Comments

This doesn't happen with a USB to Ethernet adaptor

dino12345 ( 2025-10-09 16:50:04 +0000 )edit

What does the Wireshark version information report? Help -> About should show you version information; copy and paste that to a comment in this question.

Guy Harris ( 2025-10-09 17:32:18 +0000 )edit

Version 4.4.3 (v4.4.3-0-g66d7a52feb06).

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.41, build 34123),
with GLib 2.78.4, with Qt 6.5.3, with libpcap, with zlib 1.3.1, with zlib-ng
2.1.5, with PCRE2, with Lua 5.4.6 (with UfW patches), with GnuTLS 3.8.4 and PKCS
11 support, with Gcrypt 1.10.2-unknown, with Kerberos (MIT), with MaxMind, with
nghttp2 1.62.1, with nghttp3 0.14.0, with brotli, with LZ4, with Zstandard, with
Snappy, with libxml2 2.11.7, with libsmi 0.5.0, with Minizip-ng , with
QtMultimedia, with automatic updates using WinSparkle 0.8.0, with AirPcap, with
binary plugins.

Running on 64-bit Windows 11 (24H2), build 26100, with 13th Gen Intel(R)
Core(TM) i7-13850HX (with SSE4.2), with 32402 MB of physical memory, with GLib
2.78.4, with Qt 6.5.3 ...

(more)

dino12345 ( 2025-10-09 17:37:21 +0000 )edit

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2025-10-12 10:14:55 +0000

Guy Harris
19905 ●3 ●677 ●207

Anyway, installed npcap 1.84 and still problem is there

This is probably either an Npcap issue or a driver issue. Submit it as an issue on the Npcap issue list.

edit flag offensive delete link

add a comment

answered 2025-10-09 19:24:34 +0000

Chuckc
3133 ●6 ●648 ●20

with Npcap version 1.79

The timing for the 1.79 release (https://github.com/nmap/npcap/releases) is very close to when this was fixed:
Npcap 1.71 and later: unable to obtain DHCP lease when adapter is removed and restored #710

Updates for npcap available here: https://npcap.com/

edit flag offensive delete link

Comments

are u trying to say that with latest version its should be fixed ? reading the above link doesn't seems to be same issue. Anyway, installed npcap 1.84 and still problem is there

dino12345 ( 2025-10-09 19:53:21 +0000 )edit

The issue was for wireless but seemed similar and worth the update.
You can also open a npcap issue (https://github.com/nmap/npcap/issues/) for more, different eyes looking at the problem.

Chuckc ( 2025-10-09 20:08:57 +0000 )edit

add a comment