[Winpcap-users] Strangest thing ever !!! Captures only
TCP3-wayhandshake negotiation and not any data ?!? Solution FOUND !!
Gianluca Varenni
gianluca.varenni at cacetech.com
Fri May 11 17:03:54 GMT 2007
----- Original Message -----
From: "Free Prefix" <free.prefix at gmail.com>
To: <winpcap-users at winpcap.org>
Sent: Sunday, May 06, 2007 3:02 AM
Subject: Re: [Winpcap-users] Strangest thing ever !!! Captures only
TCP3-wayhandshake negotiation and not any data ?!? Solution FOUND !!
> Gianluca you are the man ! You gave me the right thinking path to go
> through and after a research I have found a solution !!! :)
> The solution is to disable the new "Chimney" capabilities
> established by Microsoft and some hardware vendors, reference:
> http://support.microsoft.com/kb/912222
Nice. The only drawback is that you basically lose all the nice offloading
features of your (maybe expensive) NIC. Sometimes this is NOT acceptable
(especially on a high end server).
Just my two cents
GV
>
> Follow these steps:
>
> Edit the registry and set:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPChimney
> to 0
> Restart the machine and there you go.
>
> Hope this will help some people.
>
> -fp
>
>
>
>
> On 5/4/07, Gianluca Varenni <gianluca.varenni at cacetech.com> wrote:
>> The only thing that comes to my mind is TCP offloading directly on the
>> board
>> (and this seems to be confirmed by the broadcom specs on the web). And
>> it's
>> entirely possible that all the TCP offloading logic (in the OS, broadcom
>> driver and card) is smart enough to offload only the traffic generated by
>> some application (e.g. IE) rather that another (e.g. telnet and the user
>> typing letters on the keyboard).
>>
>> The only suggestion that comes to my mind is to try to disable the TCP
>> offload engine on the board.
>>
>> Hope it helps
>> GV
>>
>>
>> ----- Original Message -----
>> From: "Free Prefix" <free.prefix at gmail.com>
>> To: <winpcap-users at winpcap.org>
>> Sent: Thursday, May 03, 2007 5:50 AM
>> Subject: [Winpcap-users] Strangest thing ever !!! Captures only TCP
>> 3-wayhandshake negotiation and not any data ?!?
>>
>>
>> > Hello All,
>> >
>> > Recently I have encountered a very strange phenomenon happens on one
>> > of our new servers.
>> >
>> > Server details:
>> > IBM XSeries_3550, Intel Xeon CPU 5130 @ 2 ghz
>> > Network Card: Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
>> > WinPCap 4
>> > Wireshark: 0.99.5
>> >
>> > When sniffing network traffic with Wireshark, I can see only the TCP
>> > 3-way handshake captured but not the traffic itself afterwards. This
>> > happens using any winsock application including Internet explorer and
>> > such , see attached: Browsing_through_iexplore.cap
>> > The most bizarre thing is that if I am doing "telnet" to the same web
>> > server and passing data through the connection I can indeed see the
>> > traffic, see: Browsing_through_telnet.cap
>> >
>> > I thought at first it could be a running Antivirus application or such
>> > that at some level captures the network traffic to analyze viruses
>> > before it reaches winpcap but I doubt it because no such application
>> > exist on the server.
>> >
>> > I also tried to play with the advanced features of the card such as:
>> > Jumbo frames, Jumbo MTU size etc,Large Send Offload etc .... but got
>> > the same results.
>> >
>> > Any thoughts around this ?
>> >
>>
>>
>> --------------------------------------------------------------------------------
>>
>>
>> > _______________________________________________
>> > Winpcap-users mailing list
>> > Winpcap-users at winpcap.org
>> > https://www.winpcap.org/mailman/listinfo/winpcap-users
>> >
>>
>> _______________________________________________
>> Winpcap-users mailing list
>> Winpcap-users at winpcap.org
>> https://www.winpcap.org/mailman/listinfo/winpcap-users
>>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users
More information about the Winpcap-users
mailing list