This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark does not capture packets w/ payloads?

0

I have a very strange issue with wireshark that I've never seen before, and have been using Wireshark/Ethereal for some time now.

This issue only occurs on one particular server. I am able to run Wireshark without an issue and I can see the proper interface listed and capture from it. The window fills with both broadcast and unicast messages, both sourced from and destined for the interface from which I'm capturing. The issue is that none of the packets with any length coming from or to the PC are displayed (broadcast/flooded packets with payload are still displayed)... it's the strangest thing. The output in the capture window is as if I have a filter running that excludes len>0 packets. Right-clicking and following any particular stream will show nothing- only TCP ack/syn/etc packets but nothing with the PSH flag, no data, etc.

I know for a fact that there is data being received/sent. To prove this I have a second PC capture from a span port that is mirroring traffic to/from the server's interface. On Wireshark on the second PC, the capture window is filled with the same broadcast/flooded traffic that the host sees however it also sees all of the expected unicast traffic that I thought I would see on the server.

Any thoughts? Drivers? I've already removed and re-installed Wireshark several times and tried different capture settings to no avail.

asked 30 Jul '12, 13:32

varanda's gravatar image

varanda
6114
accept rate: 0%

If it helps:

OS is Windows 2008 R2

NIC is Broadcom BCM5709C NetXtreme II GigE with driver 6.2.9.0, dated 2/4/2011

(30 Jul '12, 13:44) varanda

One Answer:

1

That specific NIC supports TCP/IP offloading. Depending on the offloading capabilities, you won't see established TCP Connections with WinPcap (Wireshark).

http://wiki.wireshark.org/CaptureSetup/Offloading#TCP_Chimney

Try to disable TCP Chimney, as described in the link above. If that does not help, try to disable TCP/IP offloading in the driver (driver advanced settings, or some 'obscure' registry settings -> google). Look for something like "TCP Connection Offload".

Regards
Kurt

answered 30 Jul '12, 13:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Jul '12, 14:00

Sounds like a good idea to try. I'll check it out and update when I can verify.

FYI I would see the new connections establish and close- just nothing in between.

(30 Jul '12, 14:26) varanda

Just FYI Kurt, I did fix the issue based on your recommendation but the netsh command in that link was not available (specifically the "chimney" subcommand).

I went into the NIC properties via Device Manager, and found TCP connection offloading for IPv4 and disabled it. Server dropped connections for 10-15 seconds as I would expect, and then resumed operation as normal. Now Wireshark can see the traffic it was not able to see before. Thanks!

(08 Aug '12, 12:49) varanda

thanks for the update!

(08 Aug '12, 12:59) Kurt Knochner ♦