Today I was trying to run a packet trace to capture iSCSI traffic from a Windows box to one of our filers. The trace would only show iSCSI Read’s and no iSCSI Writes, even though I knew that there was write traffic. A packet trace taken from the filer using pktt showed the Reads and Writes I expected – which indicated something strange at the Windows end. It turned out that the cause was TCP/IP offloading. The intel NIC was configured to do the offloading, and evidently ‘hid’ some of the network activity from windump (a tcpdump implementation on Windows). Once I turned off the offloading from inside Windows using the “Advanced” Tab inside the NIC Properties window I was able to see the iSCSI reads and Writes at the Windows end.
My best guess is that the issue is to do with where in the network stack the WinPCAP module is inserted. It seems that some traffic was routed ‘around’ wherever in the stack WinPCAP was listening.
