I am seeing the same exact issue. any luck getting this one solved yet ? I have ticket with support.
sounds basic but check for blocks? is the log showing any? check ePO for blocks for suspicious file type. ive seen .pcap files trigger this.
I heard back from tier 3. This is actually a known bug. There seems to be a conflict with HIPS (firewall) and with wireshark. The FW does not block any packes, it just prevents them from being displayed. The full response is below:
In a nutshell, for workarounds you can either disable the HIPSfirewall module when sniffing traffic wireshark or just use RawCap to snifftraffic and then view it in wireshark.