I have a win2003 server with two HP NC382i DP network controllers [v5.2.17.0] working as a team (Network Teaming Intermediate Driver NTID) [CPQTEAM.sys v9.90.1.0) I execute a web service test from a Win7 client. If I capture on the server (with wireshark or with dumpcap) I only capture the first 3 packets of every TCP socket. They are always [SYN], [SYN, ACK] and [ACK] If I capture on the client (Win7) I can see all the expected packets of the socket (6 typically) Also, if the socket is pre-established (there is not 3 way hashake), on the server I can not capture any packet, but in the client I can. Is there any limitation with the network cards or the teaming configuration I have? asked 22 Oct '13, 08:22  Chirrin Dul Ari |
One Answer:
That's most certainly due to TCP offloading into the NIC driver. The connection setup is handled by OS and the rest of the TCP connection is offloaded into the NIC driver. So, if you want to capture the whole connection on the server, you would have to disable TCP offloading. But is that really worth doing, just to be able to capture on the server? I suggest to capture on a mirror/monitor port of the switch instead. Regards answered 22 Oct '13, 08:31  Kurt Knochner ♦ edited 22 Oct '13, 08:34 |
Thank you Kurt. Probably you are right, but still I don't understand why wireshark cannot see the packet containing application data (CPU work I guess), but can see TCP handshaking (Network Card work).
As you suggest, it is better to leave the server (in production) as is configured and try to capture traffic from another point.
Thank you.
That's because of the way WinPcap (the capture library on Windows) is 'attached' to the TCP/IP stack. Please read the following: