How can Wireshark effect network traffic?

3
votes

On our team we have a standardized development setup where we have a Win8 workstation with various VMs running on Hyper-V. All development takes place on a VM.

I was having an issue where I couldn't check out a project from a Team Foundation Server using VS2012, it would start checking out, but then the connection drops. I fired up Wireshark to check what's happening, but then it worked fine. I double checked:

  • When Wireshark(or rather WinPcap which is doing the actual capture), running on the workstation, is capturing packets from the VM's virtual NIC, everything works fine.
  • As soon as I stop the capture, TFS can't check out.

So I can't even properly inspect the network traffic to diagnose the issue, because the act of inspecting traffic changes it. Heisenberg would be proud!

I thought it might be an issue with Wireshark overriding some check-sum offloading settings, but it seems not to be the case.

So what else can be affected by running Wireshark? I rather thought that the point of packet sniffers is that they don't change the packets as they capture them.

1
wiresharkhyper-vpacket-snifferswinpcap
Hold on while I break out my psychic debugger...Robert Harvey
Do you run it in promiscuous mode?Daniel Williams
Yes, but all that does is capture any traffic the NIC can "see" even if it's not addressed to it, since it's a virtual NIC it should only see traffic on the VM.Eugene
Just checked without promiscuous mode and it it still works.Eugene

1 Answers

1
votes

That means you are picking traffic that normally would not be picked by the vmnic. Try to check on mac address level what is happening. Maybe mac address conflict between VMs ?

ps. You can whireshark without promiscuous mode. The the Heisenberg rule should not apply :)