Have you ever run in to a problem where you are attempting to troubleshoot a network connectivity issue with a network capture utility and seen only the 3 way handshake? This will happen if you are using Netmon 2.x, Netmon 3.x, Wireshark, Ethereal and most other network capture utilities.
It is relatively common knowledge that this will happen when TCP Chimney offload is enabled but disabling it via the registry or netsh sometimes doesn’t always resolve the problem. TCP Chimney offload enables TCP/IP processing to be offloaded to network adapters that can handle the TCP/IP processing in hardware. The use of TCP Chimney offload causes traffic to be delivered at a lower layer of the TCP/IP stack than we listen on with most network capture utilities.
The initial troubleshooting for this type of issue is to turn off TCP Chimney Offload via Netsh as follows. The benefit of this is that it does not require a reboot.
To turn off TCP Chimney by using the Netsh.exe tool, follow these steps:
However, if this does not change what is shown in a network capture, you should then move forward with disabling all of the features of the Scalable Network Pack as documented in Knowledge Base article 948496 – “An update to turn off default SNP features is available for Windows Server 2003-based and Small Business Server 2003-based computers”.
To manually disable RSS, NetDMA and TCP Offload, follow these steps:
Disabling Chimney with netsh and changed the registry values above will allow you to see all the traffic in most cases but not always. You may also need to look at the features related to TCP Chimney offload available on the Network card. To access these options, choose the configure button on the general tab of the adapters properties. This will bring up a Window similar to what is displayed below. The Advanced tab is where the changes will be made.
The configurable options available vary depending on how the vendor implements the driver for Windows. Many network cards have features including Receive Side Scaling, TCP Checksum Offload and TCP Large Send Offload. Disabling the offload features of the network card will allow you to view all of the traffic in many cases where disabling the scalable network pack features in the OS doesn’t work. You should refer to the vendor’s documentation for specific steps on how to disable these features.
As a last resort you may have to disable chimney from a hardware perspective. Refer to the vendor’s documentation for specific information on how to disable offload features. Possible ways to do this vary, and may include settings on the NIC, jumpers on the motherboard, and/or configuration in System BIOS.
- Michael Vargo
203 Microsoft Team blogs searched, 94 blogs have new articles in the past 7 days. 223 new articles found
But what if I can't disable TCP offloading. I need to sniff a 10G link which is getting highly utilised! I am guessing disabling TCP Offload will kill my CPU's?