lewis15. Please see answer I suggested. I believe you are seeing the deployment server poll packet.

Fine. So, what's the actual problem you're experiencing?

all null characters is not proprietary!!!!!!!!!!!!!!!!!!
If there was data/information it would not be all 000000000000000000000000000s

I don't know what else I can say to make you understand this. Data is sent in a proprietary format that will be more than just any log data sent. This is not a problem, this is just the way the data is sent.

If the data that is in the network layer is going to be in the output layer. Also I replaced the universal forwarder with a full Splunk version setup for forwarding and it does the same thing, just sends the computer name and lots of x00s.

Highly possible. You really should look for that in Splunk itself, not try to decipher it on the network layer.

So there isn't any event log data sent, just nulls - x00

OK. What you are seeing is Splunk's own proprietary format for sending data. There's various metadata added apart from the actual raw event. This is not a problem, that's just how it's sent on the wire.

I am looking at the data leaving the forwarder using wireshark.

No, I'm not talking about the forwarder, I'm talking about the Splunk instance you're sending data TO from the forwarder.

universal forwarder does not use splunkweb. There isn't an option in the windows setup to select TCP or UDP.