[Winpcap-users] Possible TOE / Chimney issue -packets not showing up in Wireshark (resolved)

Bryan Mclellan bryanm at widemile.com
Wed Dec 12 00:52:41 GMT 2007

Yup, it's totally a Chimney issue. It's awesome that the driver says TOE is disabled but Chimney is the cause anyways. Perhaps chimney is more or something different than TOE?


1)      I started a capture and display filtered for ldap.

2)      When I saw a bindrequest, I followed the tcp stream and ever saw the full traffic.

3)      I returned to the display filter of ldap

4)      I ran 'Netsh int ip set chimney DISABLED' on the server (according to the above kb article this is the only part of the 'scalable networking pack' (which is integrated into SP2) which can be disabled without a reboot. Other parts require registry mods and a reboot.)

5)      Then I'd start seeing more than just bindrequests, and if I followed the tcp stream on any of these, you'll see the full traffic.

Renabling chimney goes back to producing limited package results.

Bryan McLellan

From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Bryan Mclellan
Sent: Tuesday, December 11, 2007 3:07 PM
To: winpcap-users at winpcap.org
Subject: [Winpcap-users] Possible TOE / Chimney issue, packets not showing up in Wireshark

I believe I have something similar to this: http://www.winpcap.org/pipermail/winpcap-users/2007-May/001837.html

I was first trying to troubleshoot a problem with Offline Address Books not downloading on our Exchange server. When I ran wireshark on the Exchange server and my workstation(windows xp), I saw significantly less traffic on the server.

Today I was trying to troubleshoot and LDAP problem against a DC from a Multifunction Copier. Running wireshark on the server, I was only seeing the threeway handshake and then the ldap bind request. There were no FIN or RST sequences. When I hooked up to the SPAN port I saw the entire TCP stream.

The other user in the linked message  above reported having a Broadcom BCM5708C chip. Maybe the drivers / new chimney code is causing shenanigans that aren't visible.

Wireshark: 0.99.6a
Winpcap: 4.0.1

On a Dell Poweredge 1955, Windows Server 2003 R2 Enterprise x64, with SP2.
Network is Broadcom BCM5708S NetXtreme II GigE (NDIS VBD Client) (x2, only one being used, the other is enabled without an IP)
Driver: bxnd52a.sys version 4/3/2006

In the driver properties:
Checksum Offload: None
Large Send Offload: Disable
Receive Side Scaling: Enable

In "Broadcom Advanced Control Suite 2" the Advanced tab has the same options and values.

Bryan McLellan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20071212/b41ba7e9/attachment-0001.htm

More information about the Winpcap-users mailing list