Use the command "netstat -a" from command line of the 192.168.10.10 machine. This will display all the ip sessions and you can get confirmation of the tcp sessions. Seems the AVG has some bad fix or patch that could be causing the tcp stack to malfunction . Disable the AVG, run a telnet session from the host to your mail server and then check the trace.

On Fri, Dec 17, 2010 at 4:50 PM, Simon Mbuthia <simon.mbuthia@gmail.com> wrote:

Hi guys,

I have a host 192.168.10.10 subnet, polling for mail from 192.168.10.105, which also has another network card, 10.0.0.3

I am running tcpdump on 10.0.0.2 [the firewall] and all I see from 'host 192.168.10.100' are UDP packets and acks. Nothing TCP. So I log in to my windows PC, 192.168.10.44 and start wireshark, and using the expression 'ip.src eq 192.168.10.10' and all I see are UDP packets again. Looking at the mail server logs, I can tell that the mail client 192.168.10.10 is running as he is polling the mail server for messages. This user uses AVG antivirus which is not what is installed on the other PCs and I am just wondering how it is possible for TCP packets/segments not to be detected by a packet sniffer in the same subnet.

Anyone who can unravel this mind boggling mystery for me???

Me.