This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SYN Packets Missing

0

Hi,

I'm using WS v1.10.11. When viewing a pcapng file after the capture has stopped, I'm noticing no initial SYN packets. I can see the SYN/ACK packets but no SYN packets.

If I save the capture and view the pcapng on another system (same WS version), the SYN packets are not present, so it seems that the SYN packets are not being captured on the first system.

I've tried uninstalling/reinstalling WS, reinstall the NIC drivers (updated as well), and uninstalled/reinstalled WinPcap (v4.1.3), yet the result is the same.

thanks, J

asked 09 Dec '14, 03:00

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%


2 Answers:

0

What OS? If on Windows are you missing all packets in the SYN direction? If so then it might be due to av/firewall/endpoint protection software.

Note that 1.10.11 is somewhat old, the stable version is currently 1.12.2.

answered 09 Dec '14, 03:31

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Win7 Ent. I've disabled the fw and AV - same result. The second system is identical in hardware and OS with no issue. It may simply be a bad Win7 image. Thought I'd ask and see if there was a simple fix before starting from scratch and re-imaging. thx, J

(09 Dec '14, 05:40) JTech_17

You didn't say if all packets in the SYN direction are missing, or just the SYN.

As you suggest I also believe that the issue is during capture, thus viewing the capture file on a second system is unlikely to change the result. If you can capture the SYN on the second system though that does suggest an issue with the first. Disabling AV etc. may not be enough, you might have to remove them completely.

(09 Dec '14, 05:44) grahamb ♦

0

To resolve my particular issue, I had the workstation re-imaged. Installed my initial version 1.10.11 and WS is working well; SYN packets are being seen (as well as all other packets). AV is on, Win firewall is on, all of my apps re-installed, and the system is operating like my secondary workstation.

It's a tough step but in my case it was an option since it is standard procedure to backup apps and data on the corporate back end. I wouldn't recommend this if you don't have a proper backup.

J

answered 30 Dec '14, 05:44

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%