This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Network problems on PC *after* installing wireshark

0

Has anyone seen this issue and can offer help? This is the second time I have encountered this issue, with a complete OS wipe and reinstall and a change in the additional NIC between the two times. OS is Windows 7 Ultimate x64, onboard NIC is a Realtek connected to my LAN. Everything works perfectly until...

I'm setting up a dedicated monitor port to connect to my Cisco lab, using an additional NIC on the PC and installing Wireshark/winpcap. That in itself works, but I start to get a lot of network problems:

. Pages in my browser (Firefox and IE) often fail to load compeltely, or I get a page of code, a page that never stops loading or just a blank page. . Images in web pages often look garbled or truncated. . Sometimes I get browser errors such as SSL failures or page encoding errors. . FTP transfers (in any client) give corrupt or truncated files, without giving any error messages. . Problems browing fileshares on the LAN and using RDP.

The above happen so often that it's completely obvious there's a problem, and when it started. I've just done a system restore to before installing Wireshark/winpcap, and everything is back to normal.

I didn't change anything in wireshark's configuration and the only thing I did to the NIC was to disable all the services in network properties. I don't know if that's the right thing to do, but it seems to work for a quiet monitor port and I cannot see how it should cause my problems. Besides, even after reinstating all the network protocols I still had the problems, until I did the roll-back.

Any hints as to what to look for here? I'm about to start single-stepping through setting this up again, to see if I can isolate the cause. Not that there are many steps...

asked 20 Sep '15, 15:21

FoxyRick's gravatar image

FoxyRick
6113
accept rate: 0%

So you now have a machine without Wireshark or WinPcap installed, and it's working? What happens if you just install WinPcap without installing Wireshark?

(20 Sep '15, 17:31) Guy Harris ♦♦

That's correct - back to how it was before with no wireshark or winpcap. It's been that way now for two days after the rollback and I've not seen the problems.

Earlier this evening (about two hours ago) I installed just winpcap 4.1.3 and so far have not seen the issues recur. I've tried to provoke them with lots of web browsing and ftp, but so far everything works. I have not unticked anything on the additional NIC's settings... yet.

I actually expected things to break again after installing winpcap. Testing continues.

(20 Sep '15, 17:54) FoxyRick

If that continues to work after sufficiently-exhaustive testing, try installing Wireshark without replacing the existing WinPcap.

(20 Sep '15, 17:56) Guy Harris ♦♦

Will do. I'll do that tomorrow morning after a few more hours of testing and a few reboots, just to be sure.

(20 Sep '15, 18:04) FoxyRick

Hmm... so far, so good. I installed Wireshark this morning, without replacing winpcap. Despite my best efforts, I've not managed to provoke the issues that I saw the last two times. Given how obvious they were, I would say that things are working this time.

After a few hours of no problems, I unticked all the services from the monitor NIC and still have not seen any problems for the last few hours.

I'm 99% sure that I didn't do anything else the previous two times that could have caused the issue. The only difference this time is installing winpcap first, as above.

So, I have no idea why I got problems, but at least everything seems good for now. Of course I'll report back if that changes.

Thank you for the help Guy.

(21 Sep '15, 09:25) FoxyRick

One Answer:

0

I'm setting up a dedicated monitor port to connect to my Cisco lab, using an additional NIC
on the PC and installing Wireshark/winpcap. That in itself works, but I start to get
a lot of network problems:

I see two possible problems:

P1: If the problems only occurs while you capture traffic, it could be related to IP forwarding being enabled on the Monitoring PC, which will then inject the monitored packets into the network again.

P2: The monitoring port on your switch could be an access port. Some switches don't disable access functionality on monitor ports. So, your PC would get a second IP address from the same subnet via DHCP with a second default route, which could cause problems (depends on the metric of the default routes). You'll see that with ipconfig /all.

In both cases, please disable the IPV4 and IPV6 bindings on the NIC you are using to capture traffic to prevent those problems.

Regards
Kurt

answered 21 Sep '15, 10:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you for the suggestions Kurt...

P1: No, the problems occur(ed) all the time, whether Wireshark is loaded or not. They even occur with the switch it's connected to powered off, so no connection at all.

P2: The switch port is definitely configured as a SPAN (Cisco for monitor) port, and has been all the time:

Gi0/1 MONITOR PORT monitoring unassigned a-full a-1000 10/100/1000BaseTX

GigabitEthernet0/1 is up, line protocol is down (monitoring)

Also, the issues occur with and without IPv4 and IPv6 bound to the PC's interface.

Not mentioned in my OP was that I also tried reseting winsock and tcp on the PC, of course, and reinstalling the NIC drivers and even nmy browsers. The first time I had the problem I was using an Intel dual-port server NIC. I thought that might just be a driver issue (since there wasn't officially a Windows 7 driver). A clean OS resintall and new Realtek standard NIC still got the problems though.

(21 Sep '15, 10:38) FoxyRick

A clean OS resintall and new Realtek standard NIC still got the problems though.

well, then it has either to do with WinPcap, however I've never heard of such a problem, or with some security software on your PC, like Symantec Endpoint Security or similar tools (AV, IPS, VPN Client, etc.).

(21 Sep '15, 12:14) Kurt Knochner ♦

Agreed. I'm certain it will be something odd about my setup. The lack of any search hits on my problem say it's unlikely to be Wireshark or winpcap themselves. Actually, I've just realised I did do something different this time, other than installing them seperately...

...I uninstalled Microsoft Security Essentials after I did the roll-back, simply becase I was going to install something better and was killing two birds with one new system restore point. I never even thought that might make any difference.

That is the only diffference in my system this time around. I've always installed MSE soon after the OS, and never known it to cause a problem (exactly why I used it and not something more invasive).

Hmmm!

(21 Sep '15, 12:41) FoxyRick

Microsoft Security Essentials

Everything that interferes with the TCP/IP stack is a potential source for the problem.

(21 Sep '15, 12:45) Kurt Knochner ♦