Press "Enter" to skip to content

Network Captures and Windows 7 Firewall

Windows 7 has a rather capable stateful firewall built into the OS. When troubleshooting network connectivity issues one often needs to determine if the client firewall (or something else) is blocking traffic. Quite commonly this involves acquiring a network capture to see what data is going to the client and comparing that with what is logged by the firewall.

I’ve just confirmed that network captures taken by Microsoft Network Monitor v3.4, WinPcap (used by Wireshark and WinDump), and netsh all capture data before the Windows Firewall has its way with it. Thus, packets which are dropped by the firewall are seen in a network capture. Confirmation of this was made by sending test TCP and UDP data with the firewall on and off, observing a local app set to receive the data (netcat), seeing which traffic hit the port via an external tap, what was captured locally, and what drops were logged by the firewall. In each case all TCP and UDP data seen by the external tap was also captured locally, even when it was dropped by the Windows Firewall. ICMP (and other IP protocols) were not tested.

This is a Very Good Thing from a network troubleshooting perspective.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.