This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm using WS v1.10.11. When viewing a pcapng file after the capture has stopped, I'm noticing no initial SYN packets. I can see the SYN/ACK packets but no SYN packets.

If I save the capture and view the pcapng on another system (same WS version), the SYN packets are not present, so it seems that the SYN packets are not being captured on the first system.

I've tried uninstalling/reinstalling WS, reinstall the NIC drivers (updated as well), and uninstalled/reinstalled WinPcap (v4.1.3), yet the result is the same.

thanks, J

asked 09 Dec '14, 03:00

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%


What OS? If on Windows are you missing all packets in the SYN direction? If so then it might be due to av/firewall/endpoint protection software.

Note that 1.10.11 is somewhat old, the stable version is currently 1.12.2.

permanent link

answered 09 Dec '14, 03:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Win7 Ent. I've disabled the fw and AV - same result. The second system is identical in hardware and OS with no issue. It may simply be a bad Win7 image. Thought I'd ask and see if there was a simple fix before starting from scratch and re-imaging. thx, J

(09 Dec '14, 05:40) JTech_17

You didn't say if all packets in the SYN direction are missing, or just the SYN.

As you suggest I also believe that the issue is during capture, thus viewing the capture file on a second system is unlikely to change the result. If you can capture the SYN on the second system though that does suggest an issue with the first. Disabling AV etc. may not be enough, you might have to remove them completely.

(09 Dec '14, 05:44) grahamb ♦

To resolve my particular issue, I had the workstation re-imaged. Installed my initial version 1.10.11 and WS is working well; SYN packets are being seen (as well as all other packets). AV is on, Win firewall is on, all of my apps re-installed, and the system is operating like my secondary workstation.

It's a tough step but in my case it was an option since it is standard procedure to backup apps and data on the corporate back end. I wouldn't recommend this if you don't have a proper backup.

J

permanent link

answered 30 Dec '14, 05:44

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×55
×8

question asked: 09 Dec '14, 03:00

question was seen: 2,669 times

last updated: 30 Dec '14, 05:44

p​o​w​e​r​e​d by O​S​Q​A