Why Does wireshark not capture any traffic from Source Machine with Outbound Firewall Rules? (2024)

Hi,

I was testing on Windows 2008 Standard Edition (Local Machine IP :- 192.168.2.160) with normal windows firewall (no 3rd party) and created an outbound firewall rule to deny for TCP Ports 80/443 of Remote IP (i.e. 192.168.10.104) (and Local Port All as it could be random). The firewall worked fine and I could block all outbound traffic to Ports 80/443 of that remote IP. Traffic to same ports on any other remote IP worked just fine.

However I would have expected wireshark to have picked up the traffic initiation attempt at least from local PC/random ports and drops when matched against remote IP/Port that I have defined in the Outbound Rules.

== > However I could see absolutely no traffic for this when running wire shark on the Local PC where I had applied such a rule.

== > Checking the windows Firewall Logs I could see the Drops:-

2012-05-20 10:08:34 DROP TCP 192.168.2.160 192.168.10.104 49215 80 0 - 0 0 0 - - - SEND

2012-05-20 10:08:35 DROP TCP 192.168.2.160 192.168.10.104 49216 80 0 - 0 0 0 - - - SEND

== > So the windows firewall clearly shows the drops then why does that not reflect in the wireshark?

== > Is it because the Firewall is software based and the request was made via a browser that it never gets sent down beyond the network layer from the App layer of the same PC when Windows firewall and the PC in fact never sends the packet.

Or is there some setting on wire-shark that can allow such drops to show as well as we can see in the Firewall logs above.

The main reason for me to ask this I want to clarify the way this works as the traffic not showing could be an issue with:-

1.) An application as well which might not be able to invoke the lower layers and initiate from source itself. OR, 2.) It could be an issue with block as well like this and we would not be able to distinguish via packet captures b/w them and more so if no such logs / 3rd party unknown firewall apps are present.

== > I am not sure if I should have posted this concern in Windows forum or wireshark but since I could see nothing in wire-shark unlike in the Windows Firewall Logs.

Please suggest

Regards, Prad :)

edited 19 May '12, 22:03