[Winpcap-users] One-way captures on NLB nic

James Megna jmegna at advancedacademics.com
Tue Oct 23 10:57:43 PDT 2012

Hi group.

What issues are known concerning interoperability between WinPcap and Network Load Balancing in Windows?

I occasionally perform a packet capture to troubleshoot client problems.  Noticed an anomaly with captures on Windows servers running Network Load Balancing. Here are my observations:

The lab consists of the following:

4 servers
1 firewall appliance with 1:1 configured for the NLB IP address
8 clients

>From any server in this lab farm:
Inbound traffic is captured correctly from the NLB NIC. I see all traffic inbound from clients to web apps hosted on these servers and know that traffic is going to the correct NIC.
**Outbound traffic on the NLB NIC is not recorded. This holds true whether the capture is in promiscuous mode or not.**
Inbound and outbound traffic are recorded normally on the dedicated NIC for each server as they communicate with each other behind the firewall.
On the client side, a corresponding packet capture shows that clients see server traffic from the NLB IP address just fine.
>From the firewall, I see inbound and outbound communication from each server's NLB NIC, which further suggests that traffic is passing normally.
My web apps work normally, and affinity is being maintained.

These observations hold true whether I am using Wireshark or WinDump, which is why I am asking the WinPcap group.

My environment:

WinPcap 4.1.2, as bundled with Wireshark 1.8.3
Cisco ASA 5505 (meh, it's a lab.)
4 HP ProLiant servers
HP NC326i dual port adapter (Broadcom), tested driver versions are from 2010 and from 2012.
Both a dedicated NIC and a clustered NIC are configured.
NLB has the following attributes:
*       Four servers converged
*       Unicast mode
*       Port rules defined for 80 and 443
*       Multi host with Single affinity

I searched known bugs / issues and probably missed a checkbox somewhere or something. Any thoughts? Multicast deal?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20121023/9aaadf55/attachment.html>

More information about the Winpcap-users mailing list