Wireshark-dev: Re: [Wireshark-dev] Strangest thing ever !!! Captures only TCP 3-way handshake n

From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 10 May 2007 15:19:53 +0800


Free Prefix wrote:
[...]
When sniffing network traffic with Wireshark, I can see only the TCP
3-way handshake captured but not the traffic itself afterwards. This
happens using any winsock application including Internet explorer and
such , see attached: Browsing_through_iexplore.cap
The most bizarre thing is that if I am doing "telnet" to the same web
server and passing data through the connection I can indeed see the
traffic, see: Browsing_through_telnet.cap

I thought at first it could be a running Antivirus application or such
that at some level captures the network traffic to analyze viruses
before it reaches winpcap but I doubt it because no such application
exist on the server.

I wouldn't worry about AntiVirus software but rather VPN software. Any of that installed?