I Ran Wireshark on Windows and Ubuntu. I Wasn't Ready for This.

Added: 2026-05-05

[00:00:00]504 packets. That's how many times Windows phoned home in under 2 minutes.

[00:00:05]No browser open, no apps, no user input, just the OS sitting there doing nothing.

[00:00:12]Ubuntu, 66. Same machine, same network, same amount of time. I watched it happen live and I still had to double-check the numbers.

[00:00:22]Let me show you exactly what was going on because the packet count is actually the least interesting part of what I found. So, the idea was simple. Two virtual machines running side by side on VirtualBox, Windows 11 Pro and Ubuntu.

[00:00:37]Both fresh installs, nothing touched, no privacy settings changed, no third-party tools, just the OS exactly how it comes when a normal person installs it. Same network, same host machine. Wireshark on both capturing everything that leaves the machine. That was the plan, anyway.

[00:00:54]Reality had other ideas. Starting with Ubuntu, installing Wireshark on Linux is different from Windows. There's no EXE you download from a website. You just open the terminal and run sudo apt install Wireshark. And while it's installing, it throws up this prompt, "Should non-superusers be able to capture packets?" Which sounds scary, but you have to say yes, otherwise Wireshark installs and then just sits there not capturing anything. It does warn you it's a security risk. This is a VM purely for testing, so I said yes and moved on. That part was easy. Windows was not easy. So, I try booting up the Windows VM at the same time and instantly, boom, guru meditation error.

[00:01:36]VirtualBox just kills the whole thing.

[00:01:39]Critical error, machine stopped, done.

[00:01:42]Now, I have to figure out what's going on. I go into VirtualBox settings, start changing CPU settings, adjusting paravirtualization, trying different things to get it to start. Meanwhile, Ubuntu is already up and running like nothing happened.

[00:01:56]And while I'm trying to get Windows to boot, it suddenly starts diagnosing itself. But before I even open a browser, I get hit with a screen asking if I want to let Microsoft and apps use my location. Big yes or no screen. Then more prompts right after that. Windows 11 really pushes these permissions right from the start.

[00:02:17]Anyway, I need Wireshark. So, I open a browser, Edge, not going to get into that right now.

[00:02:23]I download Wireshark, install it, and somehow that takes longer than setting up Ubuntu from scratch. Meanwhile, I switch back to Ubuntu to start the capture. Wireshark opens, but my network adapter isn't even there, just a bunch of weird interfaces, none of them that actual ethernet connection I need. Turns out, even though I clicked yes to the non-superusers option during install, I still had to manually add my user to the Wireshark group. One command, sudo usermod -ag wireshark/ dollar sign user.

[00:02:59]But of course, for that to actually apply, I had to restart the whole VM. So now, Ubuntu's rebooting right when Windows is finally ready.

[00:03:08]It's small stuff, but it adds up.

[00:03:11]All right, both machines are up, both Wireshark windows open. I start the capture on Ubuntu first and it's calm, just a few packets coming in.

[00:03:21]Then I start the Windows capture and instantly, it just takes off. No delay, no hesitation. Before I even move my hand off the mouse, the packet count is already climbing. Ubuntu's sitting there in single digits and Windows is already moving. So, I put both windows side by side and just watch. First thing that caught my eye on the Windows capture, it was hitting Microsoft IPs right away.

[00:03:49]2.20.250.16 showing up repeatedly. And there was IPv6 traffic firing, too, which most people completely forget about when they're thinking about blocking telemetry. You can block every IPv4 endpoint you want. If you're not also handling IPv6, you're still leaking. And then, and this one I wasn't expecting on a fresh install, there were ads on the desktop. Windows 11, fresh out of the box, never been used, already serving sponsored content while I'm supposed to be doing a clean network test. That's not a telemetry connection, that's a whole different category of thing Windows is doing in the background.

[00:04:30]Ubuntu, on the other side, was talking to Canonical, 185.125.190.99, but nowhere near the same pace, slower, more spaced out, less frantic. By the time I took the first screenshot, Windows was already at 191 packets.

[00:04:48]Ubuntu was at 54 and it just kept going from there. I let both of them run for a bit. Then I just stopped it because, honestly, we could have left it there all day. Windows wasn't slowing down.

[00:05:00]That's kind of the point. Final numbers, Windows, 504 packets. Ubuntu, 66 packets. Nothing open on either machine, no browser, no apps, no input, just the OS sitting there. Windows pushed out about 7.6 times more traffic than Ubuntu in the same time. Fresh install, doing nothing.

[00:05:21]And Ubuntu's traffic? Most of it actually made sense. Connectivity checks, update requests, security stuff, normal background activity. Windows, though, different story. Constant calls to Microsoft servers, steady IPv6 connections, telemetry endpoints cycling, and even ad-related traffic on a system that hadn't even been used yet.

[00:05:43]Look, I already knew Windows was going to be worse going into this. That wasn't the surprise. But 504 versus 66 on a completely idle machine? That's not a small gap. That's not they're basically doing the same thing. That's a completely different approach to what an OS should be doing when you're not even using it.

[00:06:04]And honestly, what stood out the most wasn't even the packet count. It was everything it took just to get Windows ready for this test. The crash, the repair process, the location prompts, the ads, all of that before I even started capturing anything.

[00:06:20]Ubuntu was just ready from the start.

[00:06:23]Also, I actually wrote a script that cuts down a lot of that telemetry and the ads on Windows. I left it in the description if you want to check it out.

[00:06:31]If you want me to break down exactly which endpoints Windows was hitting, let me know. There's a lot in that capture I didn't even cover.

[00:06:39]And if you think I should run this same test on another Linux distro, tell me which one.

[00:06:44]For And if you want to go deeper, check out the Patreon in the description.

[00:06:48]There are different levels depending on how far you want to go with this stuff, early access to videos, behind the scenes on how I run these tests, full breakdowns, raw Wireshark logs, even the actual tools and scripts I'm using. And at the top tier, you can suggest tests or have a direct say in what I investigate next.

[00:07:08]See you in the next one.