locked
cant capture tcp syn packet (first handshake packet) at transport layer RRS feed

  • Question

  • I cant capture tcp syn packet (first handshake packet) at transport layer when the tcp port is NOT listening.

    is it for designed? if it is ,then is there any ways i can do that at transport layer(NOT discard layer)?

    thanks in advanced

    Tuesday, November 5, 2013 4:50 AM

Answers

  • This would be dropped by the TCP/IP stack as there is no listening endpoint.  As you stated, you would see this in INBOUND_IPPACKET and the DISCARD, but not at INBOUND_TRANSPORT.  This is by design.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Tuesday, November 5, 2013 4:57 AM
    Moderator