one of my team has installed the forwarder on a Windows client. running tcpdump on the backend of splunk enterprise shows:
08:32:06.990056 IP xxx.56097 > splunk.xxx.9997: Flags [P.], seq 777:895, ack 1, win 512, length 118
08:32:06.990080 IP splunk.xxx.9997 >xxx.56097: Flags [.], ack 895, win 2512, length 0
my receiver is enabled on port 9997 but Splunk is not indexing the data. I have other clients using the same setup and they are being indexed.