User profile for user: rjenk
rjenk Author
User level: Level 1
0 points

Using Wireshark under Bootcamp Windows XP

I have a Windows XP bootcamp installation on my MacBook Pro that I sometimes boot into to do some network troubleshooting. I have discovered that when using Wireshark (as well as Fluke Networks Clearsight Analyzer), the packet captures only collect packets sent from the device being monitored...no receive packets are captured.


For example, a trace of another workstation pinging the monitored station only has the ECHO replies. Again, this happens with two different packet capture tools.


If I boot into OSX and run the Mac version of Wireshark, the captures include all packet data, so I suspect the issue is with the current Windows NIC driver.


I am not running VM or Parallels for the Bootcamp partition, I am booting into Windows XP. I have verified that no filters are being used with either packet capture program as well.


Is anyone else using or have tried using Wireshark under Bootcamp?


Thanks,
Ray

MacBook Pro, Windows XP

Posted on Jun 22, 2011 12:03 PM

Reply
5 replies
User profile for user: ch0b1ts2600
ch0b1ts2600
User level: Level 2
225 points

Jun 22, 2011 12:37 PM in response to rjenk

So Wireshark, when in XP, only captures outbound network traffic from your network interface? And you are saying that no inbound traffic is captured at all? Do I understand correctly?


If so, I assume you have Turned off the XP Firewall and Disabled all other security tools that may be running on the system before running Wireshark?


Try booting up with nothing running at startup. Run msconfig and disable everything at startup. Also, when you run Wireshark, right click on the application and Run As Administrator.


Note: Never actually run it in Windows. I've only run it on my Linux Boxes and on my Apple XServe running as my network's NAT Gateway/Firewall.

Reply
User profile for user: rjenk
rjenk Author
User level: Level 1
0 points

Jun 22, 2011 1:40 PM in response to ch0b1ts2600

The traffic being captured is from a mirrored port on a switch so technically the traffic being captured is not from my interface...I am seeing all traffic to/from the mirrored device which is being duplicated on the port I connect to.


I have also just tested this on another MacBook Pro that was running 32-bit Windows 7 and had the same results.


I know the port mirror is working correctly because an HP notebook running Wireshark sees all traffic as does the MacBook Pro when running it under OSX. This is only the case when running under Windows.


Wireshark is the only application running and firewall/security settings are verified between Mac and the HP notebook.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Using Wireshark under Bootcamp Windows XP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up