guyharris
commented
4 years ago If you capture with Npcap and no filter, do you see any traffic? If so, do you see TCP port 1723 and GRE traffic in the capture?
Open markpizz opened 4 years ago
guyharris
commented
4 years ago If you capture with Npcap and no filter, do you see any traffic? If so, do you see TCP port 1723 and GRE traffic in the capture?
markpizz
commented
4 years ago Good Question.
I actually see no traffic captured without a filter, but the little graphic display in the list of interfaces does show traffic when I startup Wireshark.
This box has so much traffic I didn't consider even trying without a filter.
The system in question is running Windows Server 2019 in a HyperV VM (under Windows Server 2019). The HyperV's setup for this system's Network interface is configured with a VLAN. I don't see how that would matter... Like I said, WinPcap works just fine here.
markpizz
commented
4 years ago I tried the same on a Windows 10 (x86) version running on the same HyperV environment with the latest WireShark. npcap-0.9995 gets 0 packets without any capture filter, WinPcap works as expected.
markpizz
commented
4 years ago Diag Report: DiagReport-20200727-104946.txt
guyharris
commented
4 years ago I actually see no traffic captured without a filter, but the little graphic display in the list of interfaces does show traffic when I startup Wireshark.
The Wireshark sparklines work by capturing traffic and counting packets, so it's a bit odd that Wireshark sees traffic when showing the sparklines but not when told to capture traffic.
guyharris
commented
4 years ago I actually see no traffic captured without a filter, but the little graphic display in the list of interfaces does show traffic when I startup Wireshark.
The Wireshark sparklines work by capturing traffic and counting packets, so it's a bit odd that Wireshark sees traffic when showing the sparklines but not when told to capture traffic.
Correction: the Wireshark sparklines work by not capturing packets (it never reads from the pcap_t, so packets should eventually start getting dropped) but counting them with calls to pcap_stats(). No filter is applied; a short snapshot length is used. That suggests that perhaps packets are getting counted in the kernel but not delivered to userland.
I was setting up PPTP on a Windows 2019 server environment yesterday and I wasn't sure that the firewall between the Windows box and the Internet was allowing the correct TCP and GRE traffic ((tcp port 1723) or (proto 47)). With npcap-0.9995 installed, I brought up the latest Wireshark and tried to capture traffic on all interfaces (5 interfaces) using this capture filter. Absolutely no traffic was observed. Same results were observed selecting different interfaces.
I uninstalled npcap, rebooted the box (just to be sure), installed WinPcap 4.1.3, fired up Wireshark and configured a capture with the same capture filter on the single Ethernet interface visible with WinPcap and readily captured both the TCP and GRE traffic.