locked
Not all traffic is being captured on WS 2008. Why? RRS feed

  • Question

  • As sys admins with many, many years of windows sniffing experience, we are currently at a complete loss as to why we are unable to capture traffic we know is there.

    Specifically we are trying to troubleshoot an SMTP problem (large messages, hanging connections) on our production environment.

    When we try to capture SMTP traffic we usually only get the first 3 packets (syn, syn-ack, syn) sometimes also the incoming SMTP 220 and the outgoing SMTP HELO. But never any more than that. The SMTP payload traffic does occur but never gets captured. Relaxing or tightening filters makes no difference. Microsoft Network Monitor or Wireshark makes no difference. Server 2003 (32 bit) does make a difference: no problems sniffing there, but then the original SMTP problem we're investigating doesn't occur under Windows Server 2003. What's going on?

    We do seem to see ALL other traffic.

    Is it Server 2008 R2? Is it 64 bit? Is it the Broadcom NIC teaming? Is it TCP offloading features? Is it some really, really stupid oversight on our behalf?

    Any suggestions or similar experiences are more than welcome.

    Nick
    • Edited by SaintNick Monday, February 8, 2010 12:55 PM typo
    Monday, February 8, 2010 11:28 AM

Answers

  • Yup, it was indeed the TCP offloading features.

    See http://support.microsoft.com/kb/951037

    Basically just turn that all off with

    C:\> Netsh interface tcp set global autotuning=disabled chimney=disabled rss=disabled
    No reboot needed, at least not on Server 2008 R2.

    Google (or Bing) in this area and you'll see that turning this off solves a lot of problems. (hanging Internet Explorer processes, memory trimming of SQL Server processes, etc. etc.)

    • Marked as answer by SaintNick Monday, February 8, 2010 3:32 PM
    Monday, February 8, 2010 3:32 PM

All replies

  • Yup, it was indeed the TCP offloading features.

    See http://support.microsoft.com/kb/951037

    Basically just turn that all off with

    C:\> Netsh interface tcp set global autotuning=disabled chimney=disabled rss=disabled
    No reboot needed, at least not on Server 2008 R2.

    Google (or Bing) in this area and you'll see that turning this off solves a lot of problems. (hanging Internet Explorer processes, memory trimming of SQL Server processes, etc. etc.)

    • Marked as answer by SaintNick Monday, February 8, 2010 3:32 PM
    Monday, February 8, 2010 3:32 PM
  • Yvette, can you be more specific?  I think you are saying you still see the similar issues after turning off TCP Offloading, but I can be sure what those issues are.  Perhaps you can start a new thread and describe your problem.

    Thanks,

    Paul

    Tuesday, September 14, 2010 2:54 PM