Sam Hooke

Debugging missing UDP packets with Wireshark

I had a device connected via Ethernet to a Windows 10 PC. The device was sending UDP packets to the PC, where a Python application was listening for them. Python could see no packets arriving, however, if I ran Wireshark on the PC I could see the packets arriving.

My first suspicion was the Windows firewall. Wireshark uses libpcap to capture packets. Specifically, on Windows Npcap is used, which is a Windows version of libpcap1. Npcap is able to sniff the packets before they hit the firewall2. This explains why Wireshark can see the packets, but the Python application cannot3.

I added an “allow” rule to the firewall for UDP packets on the given port, but still no packets arrived. I enabled logging of dropped packets, but this showed no packets being dropped, which implied the firewall was not actually to blame.

It turned out the problem was my network configuration, not the firewall. The Ethernet interface on my PC, which had the device attached, was configured as /16, when it needed to be /24. I fix this by going to Ethernet settings, then selecting the interface my device is connected to, and under IP settings, clicking Edit, then updating the Subnet prefix length.

  1. Prior to Wireshark v3.0, WinPcap was used instead of Npcap. However, the last release of WinPcap is over a decade old, and Npcap is equal or better in every regard↩︎

  2. I couldn’t find a good reference for this on Windows, but this recent answer about libpcap suggests that, at least on Linux, libpcap is able to sniff packets before iptables potentially drops them. ↩︎

  3. The Python application uses the socket library. If you instead use scapy, then you can sniff the packets in Python before they hit the firewall. This is using the same path as Wireshark, since on Windows, scapy also uses Npcap↩︎