Things I learned yesterday: when every component in a network is a switch (as opposed to a hub), capturing packets at any particular point doesn’t give you everything – at least for unicast traffic. Of course that’s ‘obvious’ – it’s the whole point of switches – but it wasn’t so obvious when stepping through a Wireshark capture.
(It was seeing the broadcast ARP packets in the capture, but not the unicast UDP that led to them, that finally kicked my brain that I wasn’t seeing the full story)