Have you ever encountered a problem where you tried to connect to the trouble shoot network, but you only saw three handshakes in the network packet capture tool? If you use NetMon 2.x, NetMon 3.x, Wireshark, ethereal, and most other network packet capture tools, this will happen.
This is a relatively common sense. This happens when TCP chimney offload is enabled, but it always solves the problem after it is disabled through the registry or netsh. TCP chimney offload allows TCP/IP processing to be transferred to a network adapter that can handle TCP/IP by hardware. the use of TCP chimney offload has led to the transfer of network communication to the lower layer of the TCP/IP stack listened by most of our packet capture tools.
The initial troubleshooting steps for this type of problem are to disable TCP chimney offload through netsh. The steps are as follows. The advantage of this is that you do not need to restart the machine.
Use netsh.exe to disable TCP chimney by using the netsh.exe tool:
- Click Start, click Run, type cmd, and then click OK.
- At the command prompt, type "netsh int IP Set chimney disabled" and then press Enter.
However, this does not change the data displayed in the packet capture tool, you should continue, close all scalable network pack features, see Knowledge Base Article 948496, or http://support.microsoft.com/kb/2570111
To manually disable RSS, netdma, and TCP offload, follow these steps:
- Click Start, click Run, type regedit, and then click OK.
- Locate the following registry subkey: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
- Right-clickEnabletcpchimney, And then click Modify.
- In the value data box, type 0, and then click OK.
- Right-clickEnablerss, And then click Modify.
- In the value data box, type 0, and then click OK.
- Right-clickEnabletcpa, And then click Modify.
- In the value data box, type 0, and then click OK.
- Exit Registry Editor, and then restart the computer.
Disabling chimney with netsh and changed the registry values above will allow you to see all the traffic in most cases but not always. you may also need to look at the features related to TCP chimney offload available on the network card. to access these options, choose the Configure button on the General Tab Of The adapters properties. this will bring up a window similar to what is displayed below. the Advanced tab is where the changes will be made.
The retriable options available vary depending on how the vendor implements the driver for Windows. using network cards have features including receive side scaling, TCP checksum offload and TCP large send offload. disabling the offload features of the network card will allow you to view all of the traffic in your cases where disabling the Scalable Network pack features in the OS doesn't work. you shoshould refer to the vendor's documentation for specific steps on how to disable these features.
As a last resort you may have to disable chimney from a hardware perspective. refer to the vendor's documentation for specific information on how to disable offload features. possible ways to do this vary, and may include settings on the NIC, jumpers on the motherboard, and/or configuration in system BIOS.
The effect of TCP chimney offload on viewing network traffic
Http://blogs.technet.com/networking/archive/2008/11/14/the-effect-of-tcp-chimney-offload-on-viewing-network-traffic.aspx