This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark drops outgoing udp traffic!

0

Hello,

Currently I am using Wireshark 1.10.2 (Win 7-64bit) and I am sending udp traffic to another device through Ethernet port. Other tools like Microsoft Network Monitor (I need Wireshark for some of its packet checking features) work find, but as soon as I start Wireshark listening, it drops outgoing packets. I can see outgoing packets in Wireshark, but they are not send to the end device anymore!

How can I solve this issue?

Thanks :-)

asked 25 Sep '13, 02:31

Persisky's gravatar image

Persisky
11113
accept rate: 0%

edited 25 Sep '13, 06:49

but as soon as I start Wireshark listening, it drops outgoing packets.

I don't think this caused by Wireshark, at least I have not seen this happen anywhere so far. Wireshark is pretty passive, so there is no way how it could/would drop packets.

but they are not send to the end device anymore!

how do you know that?

BTW: Can you please add more information about your setup? Client, Server, end device, etc.

(25 Sep '13, 06:55) Kurt Knochner ♦

Also, Wireshark relies on WinPcap to do the actual capturing on the Windows platform. Which version of WinPcap are you using? You could also try testing with WinDump to see if you get the same results as with Wireshark.

(25 Sep '13, 09:01) cmaynard ♦♦

I am sending UDP packets using C# to a client which is a FPGA development board. Ip address of my PC is 10.0.0.1 (mask 255.255.255.0) and I send packets through port 11000 to FPGA board which has Ip address of 10.0.0.2 .

Without using Wireshark Packets easily reach to FPGA. I have packet counter and other monitoring tools that show this. I need to consider the FPGA response to incoming packets so I have to use a Netowrk Monitoring tool like Wireshark; however, as soon as the capturing mode of Wireshark starts I am not able to send packet to FPGA. Packets are shown as outgoing packets but they do not reach to Ethernet port anymore. I used Microsoft Network Monitor tool and it works fine. It shows the outgoing stream and does not have any affect on that, so I can send and receive udp packets without any problem. Unfortunately the Microsoft tool does not have some features of packet checking like Wireshark, so I would be glad to find out about Wireshark issue.

Thanks :-)

(26 Sep '13, 03:18) Persisky

did you try another version of Wireshark (1.8.x) and WinPcap?

(26 Sep '13, 04:37) Kurt Knochner ♦

You never answered the question about which version of WinPcap you are using.

Also, the whole point of using WinDump is to try to determine if this is a Wireshark-specific problem or if it's common to other applications that also use WinPcap, such as WinDump.

(26 Sep '13, 07:01) cmaynard ♦♦

I do not know how, but I did not notice that question before!

To make sure that there is no issue with my current installation of WinPcap, I re-installed the version which was offered by Wireshark 1.10 installer which I think is 4.1.3.

I will use WinDump and Wireshark(1.8.x) and report results.

(26 Sep '13, 13:35) Persisky

It seems that the issue is from Winpcap! Even in WindDump outgoing UDP packets are dropped as soon as I start listening! As I mentioned they are shown in WinDump and WireShark, but they are not sent to Ethernet port anymore! Also Microsoft Network Monitor works fine and does not drop packets. Any solution?

(01 Oct '13, 02:41) Persisky

what type of interface is it?
Can you show a sample capture file (on google drive/docs, dropbox or cloudshark)?

(01 Oct '13, 02:45) Kurt Knochner ♦

It is a Gigabit Ethernet Interface.

Here you can see one of UDP packets captured in WireShark:

No.     Time           Source                Destination           Protocol Length Info
      2 0.999970000    10.0.0.1              10.0.0.2              UDP      204    Source port: 62488  Destination port: metasys

Frame 2: 204 bytes on wire (1632 bits), 204 bytes captured (1632 bits) on interface 0 Ethernet II, Src: ———–, Dst: ———– Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.2 (10.0.0.2) User Datagram Protocol, Src Port: 62488 (62488), Dst Port: metasys (11001) Data (162 bytes)

0000 03 00 00 00 02 00 00 00 03 80 00 00 00 02 00 00 ……………. 0010 00 01 03 00 00 00 02 00 00 00 01 80 00 00 00 02 ……………. 0020 00 00 00 04 03 00 00 00 02 00 00 00 03 80 00 00 ……………. 0030 00 02 00 00 00 01 03 00 00 00 02 00 00 00 09 80 ……………. 0040 00 00 00 02 00 00 00 05 03 00 00 00 02 00 00 00 ……………. 0050 03 80 00 00 00 02 00 00 00 05 03 00 00 00 02 00 ……………. 0060 00 00 03 80 00 00 00 02 00 00 00 04 03 00 00 00 ……………. 0070 02 00 00 00 08 80 00 00 00 02 00 00 00 04 03 00 ……………. 0080 00 00 02 00 00 00 07 80 00 00 00 02 00 00 00 05 ……………. 0090 03 00 00 00 02 00 00 00 02 80 00 00 00 02 00 00 ……………. 00a0 00 09

(01 Oct ‘13, 08:06) Persisky

Here you can see one of UDP packets captured in WireShark:

I was thinking about a real capture file, to check if there is anything in the frames that could explain the behavior, although I don’t think it’s the data, but you’ll never know until you check.

BTW: Did you try to disable the windows firewall or any other security software on the sending PC, like these tools: AV, IDS, VPN client, Endpoint Security, Personal Firewalls, etc.

(01 Oct ‘13, 08:17) Kurt Knochner ♦

Have you read the WinPcap FAQ page for possible known problems, perhaps Q21 or Q22? If none of these fit your situation, then I’d suggest contacting the WinPcap developers.

(01 Oct ‘13, 11:05) cmaynard ♦♦
showing 5 of 11 show 6 more comments