Need help with analysis of two related captures

Discussion:

Kurt Buff

2014-06-03 19:44:57 UTC

All,

I have an engineer developing a tool in our AU office. His work
requires that a machine in the his office talk with two machines in
our US office.

If one of the US machines fails to respond, the second machine is
supposed to pick up the conversation.

However, he's getting timeouts from both, randomly. I've got a tcpdump
capture that he sent initially, and then a pair that I captured of an
event from firewalls at both ends, but as a relative newb at this kind
of troubleshooting, all I can see are a fair number of out of order
packets and resets, and can't really tell him more than that.

The captures are small (2k, 4k and 6k).

I'd love to find a facility or help of some sort to get to the bottom
of the problem, if I can.

Can anyone point me to where I might find some help on analysing these?

Kurt
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

T***@public.gmane.org

2014-06-03 20:17:19 UTC

Permalink

Can you share the captures? If you can ask specific 'I don't understand this frame' question we might be able to help but troubleshooting blind id kind of hard. There are a number of good wireshark 101 books if you have that kind of time and a LOT of content on youtube. Sharkfest sharkfest.wireshark.org is just over a week away, no better place than there to learn wireshark.
In GENERAL out of order packets from AU wouldn't really surprise me, the resets are likely one side giving up, are there a lot of retransmissions or huge time gaps before a reset? Adding a delta column to wireshark can be a huge help when looking at that. Following the different streams might help you get a clearer view of whats up (clear some noise). Did you capture icmp frames or JUST the port this app runs on? ICMP can give huge hints when things go off the rails. Have you checked the firewall logs? Depending on the firewall have you tried excluding the traffic from deep IPS / IDS checks (yea just guessing at random now).

tim

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org [mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Kurt Buff
Sent: Tuesday, June 3, 2014 3:45 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] Need help with analysis of two related captures

All,

I have an engineer developing a tool in our AU office. His work requires that a machine in the his office talk with two machines in our US office.

If one of the US machines fails to respond, the second machine is supposed to pick up the conversation.

However, he's getting timeouts from both, randomly. I've got a tcpdump capture that he sent initially, and then a pair that I captured of an event from firewalls at both ends, but as a relative newb at this kind of troubleshooting, all I can see are a fair number of out of order packets and resets, and can't really tell him more than that.

The captures are small (2k, 4k and 6k).

I'd love to find a facility or help of some sort to get to the bottom of the problem, if I can.

Can anyone point me to where I might find some help on analysing these?

Kurt
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Kurt Buff

2014-06-03 20:31:47 UTC

Permalink

I can share privately, certainly.

I've got a delta column added, and do see some big deltas (14s, 15s,
and even 75s and 83s and 94s (!)).

The firewalls we have don't have IDS/IPS capability, so that random
guess didn't hit the mark :).

I've got one of Laura Chappell's books and am working my way through
it, and also through a number of videos on youtube (what great
resources they are, too), but wanted to really nail this down for the
engineer, who's being a bit persnickety about it all.

Thanks,

Kurt

Post by T***@public.gmane.org
Can you share the captures? If you can ask specific 'I don't understand this frame' question we might be able to help but troubleshooting blind id kind of hard. There are a number of good wireshark 101 books if you have that kind of time and a LOT of content on youtube. Sharkfest sharkfest.wireshark.org is just over a week away, no better place than there to learn wireshark.
In GENERAL out of order packets from AU wouldn't really surprise me, the resets are likely one side giving up, are there a lot of retransmissions or huge time gaps before a reset? Adding a delta column to wireshark can be a huge help when looking at that. Following the different streams might help you get a clearer view of whats up (clear some noise). Did you capture icmp frames or JUST the port this app runs on? ICMP can give huge hints when things go off the rails. Have you checked the firewall logs? Depending on the firewall have you tried excluding the traffic from deep IPS / IDS checks (yea just guessing at random now).
tim
-----Original Message-----
Sent: Tuesday, June 3, 2014 3:45 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] Need help with analysis of two related captures
All,
I have an engineer developing a tool in our AU office. His work requires that a machine in the his office talk with two machines in our US office.
If one of the US machines fails to respond, the second machine is supposed to pick up the conversation.
However, he's getting timeouts from both, randomly. I've got a tcpdump capture that he sent initially, and then a pair that I captured of an event from firewalls at both ends, but as a relative newb at this kind of troubleshooting, all I can see are a fair number of out of order packets and resets, and can't really tell him more than that.
The captures are small (2k, 4k and 6k).
I'd love to find a facility or help of some sort to get to the bottom of the problem, if I can.
Can anyone point me to where I might find some help on analysing these?
Kurt
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
___________________________________________________________________________
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Continue reading on narkive:

Search results for 'Need help with analysis of two related captures' (Questions and Answers)

replies

Holocaust help? Facts? What are the Barracks?

started 2007-04-11 22:51:10 UTC

homework help

replies

PLEASE help me PLEASE if you know social studies!!?

started 2006-05-31 14:05:54 UTC

homework help

replies

why Ancient Egypt is called "the gift of the Nile"?