Hello, I'm currently facing issue when tryin to capture network communications from Win 7 X64 stations. When I start a capture from a client, in the capture I most of the time I don't see packets sent by the client. Strangely it's quite random. Sometines I see packets from the client at the begining of the communication but after a short while I see only packets from server. Do you have any idea causing this issue. This is blocking my network analyse so I need to solve it. Is this related to offload / chimney behavior? Thanks for your help asked 15 Jan '14, 06:40  any-one edited 10 Feb '14, 05:55 |
One Answer:
That's usually a sign for TCP offloading into the NIC driver. You will see the 3-way handshake and then nothing, as the rest of the communication is handled by the NIC itself and that traffic is invisible to Wireshark (due to the way the capturing library inserts itself into the kernel). BTW: Apparently you already knew that, as you chose the right tags (offload and chimney) ;-)) There are other reasons, like 'strange network drivers', security software, etc.
See also other, similar, questions with the tags 'outgoing' or 'outbound'
BTW: I just updated the tags of some of those questions, as this specific problem arised a few times lately. Regards answered 15 Jan '14, 07:03  Kurt Knochner ♦ edited 15 Jan '14, 07:17 Thanks for your reply. I'm facing this issue even when I try to PING a server. I see only echo reply packets. no echo request. even using Wireless network (15 Jan '14, 08:22) any-one Did you look at the 'DNE problem' (actually 'DNE LightWeight Filter' as part of a VPN client installed on the system)?
(15 Jan '14, 08:32) Kurt Knochner ♦ I'm pretty sure there's no VPN client installed on stations. I can duble check. (15 Jan '14, 09:13) any-one Any other security software, like Endpoint protection, AV and the like? (15 Jan '14, 09:54) Kurt Knochner ♦ Symantec Endpoint Protection is installed on our clients. I'll request the right to disable it. I'll let you know. (16 Jan '14, 00:35) any-one O.K. that one is known to cause such an effect. (16 Jan '14, 00:47) Kurt Knochner ♦ Hello, I can confirm. I am now able to disable Symantec Endpoint Protect (SEP)and now I can see all packets in Wireshark ! (10 Feb '14, 05:53) any-one Good! Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up). (10 Feb '14, 06:32) Kurt Knochner ♦ showing 5 of 8 show 3 more comments |
Try searching the site for "outgoing packets". This comes up a lot and is usually AV or VPN software or TCP offloading.
I already tried to deactivate TCP Offload without success :(
netsh int tcp set global chimney=disabled
I checked the NIC settings, there's no specifig setting about offload. So I don't really undertand the source of the issue