Wireshark and Windows Firewall

windows-7 wireshark windows-firewall
5,871

Solution 1

Where is Wireshark running, on the destination machine or on the source machine? If it's running on the source machine I would expect to see behavior as in # 2. You should see the outgoing connection from the source machine in Wireshark but no return traffic. I'm curious, does the Windows Firewall send a RST when it blocks incoming connections or does it silently drop the connection?

Come to think of it, I might expect to see behavior as in # 2 on the destination machine as well due to the fact that the incoming connection has to be initiated before Windows firewall can do it's job. It can't block a connection that hasn't made it to the destination machine and up to layer 3 yet.

Solution 2

I would think so. The firewall is software within the O/S. The packet still has to come into the machine, bubble up through the networking stack until it hits the firewall, at which point it's accepted and passed or denied and blocked. I would expect this behavior.

Now if the firewall existed between the Internet and your machine, you would see nothing in Wireshark if that external firewall blocked the packet(s).

Share:
5,871

Related videos on Youtube

Franz Wong
Author by

Franz Wong

Currently a Site Reliability Engineer at Take 2 Interactive. Formerly a Site Reliability Engineer for the Stack Exchange network. Prior to my work for Stack Exchange I worked for a small software developer in Sydney, Australia.

Updated on September 17, 2022

Comments

  • Franz Wong
    Franz Wong over 1 year

    If I block a port in the Windows Firewall, and then attempt a connection to that port from another PC, what should I expect to see in Wireshark?

    When running wireshark at the destination machine ('server' for lack of a better term), should I see:

    1. No inbound or outbound connections (which is what I would expect with a hardware firewall)
    2. An inbound connection attempt, but no outbound

    At the moment I'm seeing #2 - I can see the inbound connection attempt, but I never see any response from the machine.

    Should this be the expected behaviour?

  • Franz Wong
    Franz Wong over 14 years
    I suspected as much. I've never really relied on the Windows firewall for anything before, I usually use a hardware firewall
  • Franz Wong
    Franz Wong over 14 years
    Also, by the looks of it, it silently drops the connection, because there's absolutally no traffic going back to the source IP, not even a Refused notification.
  • joeqwerty
    joeqwerty over 14 years
    That makes sense based on my assumption in my second paragraph. Wireshark works from layer 2 and up, while I'm guessing that the Windows firewall works at layer 3 and up (which is probably why you can only create rules that operate at layers 3 and up and not at layer 2). So Wireshark sees the connection at layers 2 and 3 before the Windows firewall acts. Once the Windows firewall acts on the connection, it kills it (I don't know what method it uses) and so there's nothing coming back down the stack for Wireshark to see.
  • joeqwerty
    joeqwerty over 14 years
    @Farseeker: Thanks for accepting my answer. It's nice to have someone who's technical savvy I admire give me a thumbs up.
  • Franz Wong
    Franz Wong over 14 years
    Admire? Well there's a word I don't think I've heard in my direction before. Anyhoo your ServerFault rep is looking quite healthy :) I was surprised to see you on here to be honest, I was expecting a different batch of users!
  • joeqwerty
    joeqwerty over 14 years
    Yeah, I don't get here very often. Yesterday was a fluke I guess. ;)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to capture and analyze bluetooth packets using wireshark
How to set intel centrino advanced-n 6205 in "monitor mode" in Windows 7 (32bit) and Wireshark
Windows 7 Firewall Blocking FTP Server
Does disabling the 'Windows Firewall' service actually work?
Windows could not start the Windows Firewall on Local Computer
Windows 7 PC sends a lot of NetBIOS Name Queries for non-existent computer names
Windows firewall - block all incoming connections enable/disable - CREATE SCRIPT
Turning Off Windows 7 Firewall
How can I stop my computer from doing arp poisoning attacks?
Win 7 firewall blocking Filezilla Server from responding to clients