I ran into an issue when troubleshooting with Cisco TAC which required I take some packet captures using a SPAN port off a Cisco switch using Wireshark. Wireshark is the de-facto packet capture program out there. It’s free, powerful and it works really well. I’ve never had a problem with it until recently. And in all fairness, it wasn’t a problem with Wireshark, but with the AV software installed on my Windows laptop. If you find yourself taking captures and only seeing the initial Syn or Ack coming back…and you have ESET security on your laptop like I did, then you will find this useful. First, disable your ESET protection completely. You’ll need an administrative password for the software to do so if you are in an enterprise environment.
Once you do this, you can start capturing entire traces. Apparently, the EPFW NDIS LightWeight filter is some sort of software that filters traffic even before it hits Wireshark software. And until it’s disabled, it simply drops your packets — the very packets you are probably looking for. It took a solid week to figure this issue out for us. Hopefully, if you’re reading this, it will help you solve your problem in much less time.