[Winpcap-users] Strangest thing ever !!! Captures only TCP 3-wayhandshake negotiation and not any data ?!?

Gianluca Varenni gianluca.varenni at cacetech.com
Thu May 3 22:39:43 GMT 2007 

The only thing that comes to my mind is TCP offloading directly on the board 
(and this seems to be confirmed by the broadcom specs on the web). And it's 
entirely possible that all the TCP offloading logic (in the OS, broadcom 
driver and card) is smart enough to offload only the traffic generated by 
some application (e.g. IE) rather that another (e.g. telnet and the user 
typing letters on the keyboard).

The only suggestion that comes to my mind is to try to disable the TCP 
offload engine on the board.

Hope it helps
GV


----- Original Message ----- 
From: "Free Prefix" <free.prefix at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Thursday, May 03, 2007 5:50 AM
Subject: [Winpcap-users] Strangest thing ever !!! Captures only TCP 
3-wayhandshake negotiation and not any data ?!?


> Hello All,
>
> Recently I have encountered a very strange phenomenon happens on one
> of our new servers.
>
> Server details:
> IBM XSeries_3550, Intel Xeon CPU 5130 @ 2 ghz
> Network Card: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
> WinPCap 4
> Wireshark: 0.99.5
>
> When sniffing network traffic with Wireshark, I can see only the TCP
> 3-way handshake captured but not the traffic itself afterwards. This
> happens using any winsock application including Internet explorer and
> such , see attached: Browsing_through_iexplore.cap
> The most bizarre thing is that if I am doing "telnet" to the same web
> server and passing data through the connection I can indeed see the
> traffic, see: Browsing_through_telnet.cap
>
> I thought at first it could be a running Antivirus application or such
> that at some level captures the network traffic to analyze viruses
> before it reaches winpcap but I doubt it because no such application
> exist on the server.
>
> I also tried to play with the advanced features of the card such as:
> Jumbo frames, Jumbo MTU size etc,Large Send Offload etc  .... but got
> the same results.
>
> Any thoughts around this ?
>


--------------------------------------------------------------------------------


> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list