Missing broadcast UDP traffic in a trace from the sender
I am working with an application that communicates via broadcast UDP on the local subnet. Running a trace on the broadcasting machine, and on another machine on the same subnet, I can see many many broadcast packets from the second machine that I can't see from the sender itself. Huh? Can anyone think of any legitimate cause of this, beyond my traces being incomplete? Details:
Both machines have only the one NIC, and they're definitely on the same subnet.
Traces were taken with netsh trace - customer IT security won't allow me to install Wireshark to take the traces directly - and then converted to pcap with https://github.com/microsoft/etl2pcapng/. So I'm assuming that either netsh trace has failed, or etl2pcap has failed in some way, and that is the cause of my issue. But again, just curious if anyone can think of any other legitimate reason. netsh trace command, on both machines, was:
netsh trace start capture=yes report=no traceFile="\Temp\NetTrace_%COMPUTERNAME%.etl" maxSize=250 fileMode=circular Ethernet.Type=IPv4 persistent=no
Thanks for any insight,
Found a reference to netsh trace convert, which indeed seems to indicate that this is a fault in the original netsh trace, not in etl2pcapng.
https://xkcd.com/979/
Could you add a link to that reference in case someone else finds this question in the future?
Ah, yes, I see how that sounded. But what I found was a reference _to_, not a reference _about_. Literally a comment on someone else's unrelated issue that mentioned the existence of "netsh trace convert". So I tried that. No idea what format the result is in, but there appear to be no lines corresponding to the missing packets, so I assume they are not in the trace in the first place.
Thanks! Now that that is cleared up. :-)
Ok - at least now know its worth the effort as a lab exercise to recreate.