Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Wireshark only capturing TCP handshake

From: John Temples <wireshark@xxxxxxxxx>
Date: Tue, 4 Mar 2008 14:36:26 -0800 (Pacific Standard Time)
As far as I can tell, it doesn't have a TCP offload engine.  If it
did, would I see different behavior depending on whether the
connection originated locally vs. remotely?

On Tue, 4 Mar 2008, Gianluca Varenni wrote:

If it's not a firewall problem (e.g. because the firewall is a specific piece of hardware on the LAN, and not a software product), another possibility is TCP chimney, i.e. your network card performs TCP offloading. In this case the card is responsible for dealing with the TCP sessions almost completely and WinPcap/Wireshark do not see the packets.

Have a nice day
GV




----- Original Message ----- From: "Jaap Keuter" <jaap.keuter@xxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Tuesday, March 04, 2008 1:20 PM
Subject: Re: [Wireshark-users] Wireshark only capturing TCP handshake


Hi,

Let me ask you: The firewall is on the troubled platform? And this firewall has rules for incoming non-local connections? Bet your firewall is interfering
 in the network stack.

Thanx,
Jaap

John Temples wrote:
I'm trying to capture some incoming HTTP connections with Wireshark
0.99.8 on a Windows Server 2003 system.  The only thing Wireshark
captures is the three packets in the three-way handshake of the TCP
connection; no other packets related to the connection are captured.
However, the connection completes successfully.  No capture filter is
active in Wireshark.

When running Wireshark on the PC that originates the connection, the
entire transaction is successfully captured on the originating PC.

When the connection originates from a PC on the same LAN as the
Windows 2003 Server system, Wireshark on the Windows 2003 Server
system successfully captures the entire transaction.

The problem only occurs when the connection originates from the
Internet.  The LAN in question has a SonicWALL firewall with no
special configuration.

What could cause Wireshark not to see the entire connection?

--
John W. Temples, III

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

--
John W. Temples, III