none
TCP connection not caught by Netmon (Same source and destination address) RRS feed

  • Question

  • Basically I have a TCP connection that gets established for a few milliseconds and then drop, resulting in the time_wait condition. I wanted to determine why it's dropping, so I ran a netstat on a short interval to see what was happening. You can see a portion of the results below,  this is all within a second timeframe.

      TCP    192.168.0.139:4117     0.0.0.0:0              LISTENING       1788
      TCP    192.168.0.139:3344     192.168.0.139:4117     ESTABLISHED     2784
      TCP    192.168.0.139:4117     0.0.0.0:0              LISTENING       1788
      TCP    192.168.0.139:4117     192.168.0.139:3344     ESTABLISHED     1788
      TCP    192.168.0.139:3344     192.168.0.139:4117     TIME_WAIT       0

    I then decided to see if netmon would yield any ideas. But I noticed I was not able to view any traffic with the same source and destination address. But as you can see there was definitely a connection established. This leads me to believe that this connection is happening at a layer higher than netmon can see. Either that or traffic with the same source and destination require some sort of setting or analysis that I'm not aware of.

    Any ideas? I tried searching for a similar case, but I'm not seeing anything...

    Friday, July 20, 2012 1:29 AM

Answers

  • Hi,

    Network Monitor captures at your system's NDIS layer.  Traffic destined from your machine to your machine is loopback traffic which doesn't make it's way down to NDIS, your system sends it back before Network Monitor can ever see it. 

    In order to capture this type of traffic, some people have had success updating their routing tables with the 'route' command to have their local traffic bounce off their routers instead.  This would let Network Monitor capture it.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    • Proposed as answer by Paul E Long Wednesday, August 8, 2012 2:26 PM
    • Marked as answer by jenkinski Tuesday, January 1, 2013 12:07 AM
    Friday, July 20, 2012 5:03 PM
    Moderator