John Temples wrote: > I'm trying to capture some incoming HTTP connections with Wireshark > 0.99.8 on a Windows Server 2003 system. The only thing Wireshark > captures is the three packets in the three-way handshake of the TCP > connection; no other packets related to the connection are captured. > However, the connection completes successfully. No capture filter is > active in Wireshark. > > When running Wireshark on the PC that originates the connection, the > entire transaction is successfully captured on the originating PC. > > When the connection originates from a PC on the same LAN as the > Windows 2003 Server system, Wireshark on the Windows 2003 Server > system successfully captures the entire transaction. > > The problem only occurs when the connection originates from the > Internet. The LAN in question has a SonicWALL firewall with no > special configuration. > > What could cause Wireshark not to see the entire connection?
So let me get this straight. When someone connects to the server through your FW, you only capture the first three packets of the TCP handshake. But if you mak the same http connection from a PC within your network, the server capture shows everything? Hmm, is it possible that your server is still multi-homed and the default route uses the other interface? Of course that doesn't explain the SYN+ACK being visible, but perhaps the tcp offloading allows you to see it? I'm just grasping at straws really. Do the Internet users successfully complete their transaction? -- Thanks, Hansang _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
