This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Conversation of tcp analysis problem

0

When I choose local connection or wireless, it is confused that the wireshark can not capture a whole conversion that including packages of two direction. My implements are as follows:

1.double click to start wireshark 
2.select local connection and click start
3.select 'Statistics->Conversations' to display conversion window
4.select TCP, then I start analsis

The problem are that I want to watch the conversations displayed in step 4 that including both dirtctions(say both "package A->B" and "package B->A" is not zero), but the reality is that there is no such conversitions in my machine, and in other machines it displays well.

Please tell me how to slove this problem,thanks.

other info:

My Pc is win7 32bit,Thinkpad E520, Realtek PCIe GBE Family Controller,
the wireshark version is 1.10.5 .

asked 06 Mar '14, 17:41

nevselect's gravatar image

nevselect
1112
accept rate: 0%

edited 09 Mar '14, 03:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


One Answer:

1

I want to watch the conversations displayed in step 4 that including both dirtctions(say both "package A->B" and "package B->A" is not zero), but the reality is that there is no such conversations in my machine, and in other machines it displays well.

O.K. As I understand your problem:

  • you have two capturing systems
  • on one system, you see traffic in both directions
  • on the other system, you see only traffic in one direction (no packets show in the Conversations for either A->B or B->A)

If that assumption is correct, here are some possible problems

  • You are trying to capture wifi traffic on Windows. That has some limitations on its own, but I don't think that's your main problem
  • You are try to capture on the 'local connection' and I guess you mean the Ethernet interface (Realtek). In that case you might have hit the same problem that others have also reported, namely you either don't see incoming or outgoing traffic.

As we have had some (a lot of) reports about problems with outgoing packets, here are some common problems, starting with the most plausible ones:

  • There is some Endpoint Security Software installed on the system, that prevents Wireshark from seeing outgoing packets. The software that was mentioned most was Symantec Endpoint Security. If that is installed on your system, try to disable to uninstall it. If that is not an option, you cannot use that specific system to capture traffic of the local machine.
  • Another problem could be a VPN client with a special network driver called DNE LightWeight Filter. If that is the case, uncheck DNE LightWeight Filter in the adapter settings.
  • There could be other interfering software on the system like AV, IDS, Firewall, Networking software, etc. If that's the case, try to disable or uninstall that software.

Regards
Kurt

answered 09 Mar '14, 04:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks a lot. I try to slove the problems in the ways you give, and it works!

(10 Mar '14, 23:25) nevselect