I'd try to find out if a device in my office tries to send packets under different circumstances.

In one case I could see hundreds of packets sent by the specified client. In the other case (the device should send packets through a VPN tunnel) I didn't see any packets.

So I thought the device would't even try to send packets to devices in an other IP range. But it turned out that the Firewall actually dropped the packets (I read the logs then).

Why didn't I see the dropped packets in Wireshark? I mean... They took their way from the client to the Firewall and got blocked there, am I right?

edit here: Me (wireshark) and the sending client are on the same internal network behind the same firewall

Is there any way to monitor packets that got dropped by the FW?

edit: Here is a setup diagram (kind of...)

  • dropped packets never make it to the NIC (firewall kills them before they get there) so wireshark would never be able to see them. As for seeing what packets are being dropped, you will have to ask the firewall itself. with the windows firewall, the only means of notification I am aware of are the log entries in the security log. Commented Jul 17, 2013 at 16:30
  • Could you make a small diagram with the suspicious device, the firewall, where wireshark is running, and from where to where the VPN tunnel is going? At least describe your setup a bit more detailed.
    – Dubu
    Commented Jul 17, 2013 at 17:26
  • I hope you see what I mean here. But actually Franks answer explained the problem asciiflow.com/#Draw6847828291934878287 Commented Jul 17, 2013 at 18:22
  • I also tried to clarify the relation between the "client" and "me" (wireshark). See my edits above Commented Jul 17, 2013 at 18:27

1 Answer 1


Depends on where you were running Wireshark.

Unless you were running it on the client, or on a device attached via hub or tap connected to the client, you would never see the packets. That's the point of the firewall; they block things. It's also the point of switch. Switches don't flood all ports.

If you're on the other end of a VPN running Wireshark looking for packets sent from the client, you're only going to receive packets that have made it to your machine. It's likely you will see no broadcasts from the client, and any packets dropped for whatever reason will not be visible from Wireshark.

To see the packets on the client end, the easiest way is to install Wireshark on the client. For more info, take a look here.

  • I know that I won't see packets behind the firewall. I didn't know that the firewall can drop the packets inside the internal network... Commented Jul 17, 2013 at 18:24
  • Sure can! Just depends on where you put the firewall. A firewall doesn't explicitly filter connections between internal networks and the big bad Internet. Take a look at dual firewall DMZs for example. There's also Windows Firewall as well. Now that I think about it, I simply assumed you meant a hardware firewall.
    – rtf
    Commented Jul 17, 2013 at 19:34

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .