[prev in list] [next in list] [prev in thread] [next in thread] 

List:       winpcap-bugs
Subject:    Re: [Winpcap-bugs] Problem capturing under windows 7 -
From:       "Gianluca Varenni" <gianluca.varenni () cacetech ! com>
Date:       2010-03-01 16:50:15
Message-ID: 7E28D2EE9E7D480E95AE2517DFDB93E9 () NELSON3
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


This is usually caused by TCP segmentation offloading. The NIC driver sends frames \
that are larger than 1500bytes to the NIC card itself, and the NIC card takes care of \
segmenting it and sending it on the wire. This happens only for the packets \
transmitted by the sniffing machine. If that's the case, you can usually disable this \
behavior by going to your network card properties, advanced tab, and looking for \
something like "TCP offloading". These features should be disabled.

Hope it helps
GV


From: Gil Bahat 
Sent: Saturday, February 27, 2010 6:29 AM
To: winpcap-bugs@winpcap.org 
Subject: [Winpcap-bugs] Problem capturing under windows 7 - improbably-sizedpackets \
captured


Hello,

 

I am performing data capture on an IBM thinkpad X24 equipped with an Intel Pro/100 VE \
network adaptor, running windows 7.

On the capture file I am seeing packets larger than 1500 bytes, which is impossible \
for a 100mbit connection. See the attached capture file and all the related debug \
data.

Capturing from the other machine shows no oversized packets, though that is a linux \
machine with tcpdump. There are two Homeplug adaptors on the way, though I doubt \
these can somehow magically change the Ethernet standard. I can provide a capture of \
the second party if needed but overall I suspect the problem is with how winpcap \
performs on Windows 7.

 

Sincerely,

 

Gil Bahat,

4th year EECS Student,

Tel-Aviv University.

 



--------------------------------------------------------------------------------


_______________________________________________
Winpcap-bugs mailing list
Winpcap-bugs@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-bugs


[Attachment #5 (text/html)]

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML xmlns:v = "urn:schemas-microsoft-com:vml" xmlns:o = 
"urn:schemas-microsoft-com:office:office" xmlns:w = 
"urn:schemas-microsoft-com:office:word" xmlns:m = 
"http://schemas.microsoft.com/office/2004/12/omml"><HEAD>
<META content=text/html;charset=iso-8859-1 http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.7600.16490">
<STYLE><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	text-align:right;
	direction:rtl;
	unicode-bidi:embed;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri","sans-serif";}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
	{page:WordSection1;}
--></STYLE>
</HEAD>
<BODY style="PADDING-LEFT: 10px; PADDING-RIGHT: 10px; PADDING-TOP: 15px" 
id=MailContainerBody lang=EN-US leftMargin=0 link=blue topMargin=0 vLink=purple 
CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Calibri>This is usually caused by TCP segmentation offloading. 
The NIC driver sends frames that are larger than 1500bytes to the NIC card 
itself, and the NIC card takes care of segmenting it and sending it on the wire. 
This happens only for the packets transmitted by the sniffing machine. If that's 
the case, you can usually disable this behavior by going to your network card 
properties, advanced tab, and looking for something like "TCP offloading". These 
features should be disabled.</FONT></DIV>
<DIV><FONT face=Calibri></FONT>&nbsp;</DIV>
<DIV><FONT face=Calibri>Hope it helps</FONT></DIV>
<DIV><FONT face=Calibri>GV</FONT></DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=coutal@barak.net.il 
href="mailto:coutal@barak.net.il">Gil Bahat</A> </DIV>
<DIV><B>Sent:</B> Saturday, February 27, 2010 6:29 AM</DIV>
<DIV><B>To:</B> <A 
title="mailto:winpcap-bugs@winpcap.org&#10;CTRL + Click to follow link" 
href="mailto:winpcap-bugs@winpcap.org">winpcap-bugs@winpcap.org</A> </DIV>
<DIV><B>Subject:</B> [Winpcap-bugs] Problem capturing under windows 7 - 
improbably-sizedpackets captured</DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV class=WordSection1>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>Hello,<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal><o:p>&nbsp;</o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>I am performing data capture on an IBM thinkpad X24 equipped 
with an Intel Pro/100 VE network adaptor, running windows 7.<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>On the capture file I am seeing packets larger than 1500 bytes, 
which is impossible for a 100mbit connection. See the attached capture file and 
all the related debug data.<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>Capturing from the other machine shows no oversized packets, 
though that is a linux machine with tcpdump. There are two Homeplug adaptors on 
the way, though I doubt these can somehow magically change the Ethernet 
standard. I can provide a capture of the second party if needed but overall I 
suspect the problem is with how winpcap performs on Windows 7.<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal><o:p>&nbsp;</o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>Sincerely,<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal><o:p>&nbsp;</o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>Gil Bahat,<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>4<SUP>th</SUP> year EECS Student,<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal>Tel-Aviv University.<o:p></o:p></P>
<P style="TEXT-ALIGN: left; unicode-bidi: embed; DIRECTION: ltr" 
class=MsoNormal><o:p>&nbsp;</o:p></P></DIV>
<P>
<HR>

<P></P>_______________________________________________<BR>Winpcap-bugs mailing 
list<BR>Winpcap-bugs@winpcap.org<BR>https://www.winpcap.org/mailman/listinfo/winpcap-bugs<BR></BODY></HTML>




_______________________________________________
Winpcap-bugs mailing list
Winpcap-bugs@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-bugs


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic