This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

PCI NIC interferes with traffic, WireShark setup.

0

Hi,

We're currently having an issue with our WireShark set up any help would be appreciated . Details are below:

I currently have a x32bit Windows XP computer with the WireShark version 1.8.0 installed. We've got port forwarding set up on the built in NIC and it does not have an IP address assigned. We also require the computer to be on the network so I added a PCI NIC which is connected to the network on a separate switch. The specific traffic we're interested in is tcp port 8080 and mapi.

However with the PCI NIC enabled the computer stops capturing the specific traffic, when the PCI NIC is disabled we're able to see the specific traffic. Would anyone have any ideas or suggestions as to how to correct this? If more information is required please let me know.

Thank you in advance

asked 25 Jul '12, 11:37

nyc's gravatar image

nyc
0235
accept rate: 0%

edited 01 Aug '12, 12:00

One Answer:

0

Please try to restart the NPF service after you enabled the PCI NIC.

sc stop npf
sc start npf

Then double check that the right interface was chosen in Wireshark after you enabled the PCI NIC. Maybe the interface order changed by enabling the PCI NIC and Wireshark/WinPcap got confused (just guessing on this one!).

You can check with this command:

dumpcap -D -M

Regards
Kurt

answered 25 Jul '12, 11:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Jul '12, 12:02

Hi Kurt,

Tried this but no luck with the issue. It is an old dell machine going to try updating the drivers see if this works.

Thanks

(31 Jul '12, 08:49) nyc

What is the output of dumpcap -D -M with the PCI NIC enabled AND disabled?

(31 Jul '12, 09:07) Kurt Knochner ♦

PCI NIC ENABLED

1.\Device\NPF_{FDCC3224-5865-4262-A026-04160C94CA83} 3Com 3C90x Ethernet Adapter (Microsoft's Packet Scheduler) 10.1.1.157 network

2.\Device\NPF_{8024873E-3064-4011-8D9A-C24212420D1F} Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) network

PCI NIC DISABLED

1.\Device\NPF_{8024873E-3064-4011-8D9A-C24212420D1F} Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft's Packet Scheduler) network

(01 Aug '12, 07:15) nyc

looks O.K. I don't see any reason (yet) why capturing should stop after you enabled the PCI NIC.

Can you please describe exactly how you tried to capture while the PCI NIC (3Com) is enabled?

  • Did you restart Wireshark? If no: please do so.
  • Did you select the right interface (order of the interfaces changes!)?
  • Do you see any traffic at all on ANY interface if the PCI NIC is enabled?
  • Do you see any traffic if you run the following command, while the PCI NIC is enabled?

tshark -n -i 2

(01 Aug '12, 07:21) Kurt Knochner ♦

Ah, so, it's just no TCP traffic?

Sounds like some "effect" caused by TCP Chimney or TCP Offloading in the driver. Not sure why that would be only a problem with a second NIC enabled, but you never know.

Please check my answer in a similar question. Try to disable "TCP Connection Offload" in the driver of the NetXtreme NIC (please also check 3Com driver settings!).

Additionally, you can try to disable it in Windows:

http://wiki.wireshark.org/CaptureSetup/Offloading

(01 Aug '12, 07:50) Kurt Knochner ♦

Capturing does not stop im able to see STP,UDP,ARP and LLDP traffic. I select the Broadcom NIC> capture > start (no filters are applied)

-I have tried restarting WireShark several times

-The right interface is selected (Broadcom). When your refer to order,are you referring to how it is shown in the selection list? For example 3com comes first and below that is Broadcom.

-When i run the command I only see select traffic with the PCI NIC enabled. Once i disable the PCI NIC i am able to see TCP and other traffic.

Everything looks ok to me as well so I’m not sure what I’m missing in the setup.

(01 Aug '12, 08:12) nyc

did you check the TCP Offloading "issue" I mentioned?

(01 Aug '12, 08:15) Kurt Knochner ♦

sorry i missed that comment earlier. I just tried to find the tcp offloading option. Device Manager > network adaptors > broadcom > properties > advanced tab... here there is no option available stating anything about tcp offloading.

Ive also tried the netsh int ip set chimney disabled command and netsh int tcp set global chimney=disabled. However it says the following command was not found for both.

(01 Aug '12, 09:22) nyc

I then tried the following and it returned with the options below. C:netsh interface ip> set

The following commands are available:

Commands inherited from the netsh context:

-set file - Copy the console output to a file.

-set machine - Sets the current machine on which to operate.

-set mode - Sets the current mode to online or offline.

Commands in this context:

-set address - Sets the IP address or default gateway to the specified interfa ce.

-set dns - Sets DNS server mode and addresses.

-set wins - Sets WINS server mode and addresses. no command for set global is available..

(01 Aug '12, 09:26) nyc

I forgot that you use Windows XP. The chimney option is not available there. Currently I'm running out of ideas.

Was there no offloading at all, or just no TCP Offload in the driver settings? If there is any Offloading enabled (no matter what), disable it and try again.

Is there any interfering software installed on you XP (Firewall, AV, IDS, Endpoint Security, etc.). If so, please disable or uninstall and try again.

(01 Aug '12, 09:36) Kurt Knochner ♦

There was no offloading option that I could find in the settings. I had turned off firewall, AV, endpoint security etc. Another option would be to upgrade the OS and try again.

Thank you for trying I really appreciate it. Will continue to look for a soultion if I do come across anything I will post it.

Thanks,

(01 Aug '12, 10:48) nyc
showing 5 of 11 show 6 more comments