[Winpcap-users] Strangest thing ever !!! Captures only TCP 3-wayhandshake negotiation and not any data ?!? Solution FOUND !!

Free Prefix free.prefix at gmail.com
Sun May 6 10:02:39 GMT 2007 

Gianluca you are the man ! You gave me the right thinking path to go
through and after a research I have found a solution !!! :)
The solution is to disable the new "Chimney" capabilities
established by Microsoft and some hardware vendors, reference:
http://support.microsoft.com/kb/912222

Follow these steps:

Edit the registry and set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney
to 0
Restart the machine and there you go.

Hope this will help some people.

-fp




On 5/4/07, Gianluca Varenni <gianluca.varenni at cacetech.com> wrote:
> The only thing that comes to my mind is TCP offloading directly on the board
> (and this seems to be confirmed by the broadcom specs on the web). And it's
> entirely possible that all the TCP offloading logic (in the OS, broadcom
> driver and card) is smart enough to offload only the traffic generated by
> some application (e.g. IE) rather that another (e.g. telnet and the user
> typing letters on the keyboard).
>
> The only suggestion that comes to my mind is to try to disable the TCP
> offload engine on the board.
>
> Hope it helps
> GV
>
>
> ----- Original Message -----
> From: "Free Prefix" <free.prefix at gmail.com>
> To: <winpcap-users at winpcap.org>
> Sent: Thursday, May 03, 2007 5:50 AM
> Subject: [Winpcap-users] Strangest thing ever !!! Captures only TCP
> 3-wayhandshake negotiation and not any data ?!?
>
>
> > Hello All,
> >
> > Recently I have encountered a very strange phenomenon happens on one
> > of our new servers.
> >
> > Server details:
> > IBM XSeries_3550, Intel Xeon CPU 5130 @ 2 ghz
> > Network Card: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
> > WinPCap 4
> > Wireshark: 0.99.5
> >
> > When sniffing network traffic with Wireshark, I can see only the TCP
> > 3-way handshake captured but not the traffic itself afterwards. This
> > happens using any winsock application including Internet explorer and
> > such , see attached: Browsing_through_iexplore.cap
> > The most bizarre thing is that if I am doing "telnet" to the same web
> > server and passing data through the connection I can indeed see the
> > traffic, see: Browsing_through_telnet.cap
> >
> > I thought at first it could be a running Antivirus application or such
> > that at some level captures the network traffic to analyze viruses
> > before it reaches winpcap but I doubt it because no such application
> > exist on the server.
> >
> > I also tried to play with the advanced features of the card such as:
> > Jumbo frames, Jumbo MTU size etc,Large Send Offload etc  .... but got
> > the same results.
> >
> > Any thoughts around this ?
> >
>
>
> --------------------------------------------------------------------------------
>
>
> > _______________________________________________
> > Winpcap-users mailing list
> > Winpcap-users at winpcap.org
> > https://www.winpcap.org/mailman/listinfo/winpcap-users
> >
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
>

More information about the Winpcap-users mailing list