Go Premium for a chance to win a PS4. Enter to Win


what to look for in wireshark when losing network connection

Posted on 2007-11-21
Medium Priority
Last Modified: 2008-02-01
I have a network running on a watchguard VPN firewall (Servering our internal DHCP) with 2 24 port linksys managed switches. I have several remote locations connecting in to the watchguard VPN Firewall. I have 3 centrally located servers, 1 is a Windows Domain server, 1 ScoUnix server and 1 Linux Server. I'm running Wyse60 Terminal emulation on windows xp machines as well as Neoware Dumb terminals to connect in to the ScoUnix servers.

So my problem is as follows.
At this time we seem to be intermitantly losing connection to the ScoUnix server on all machine, it seems the Sco box is intermittently dropping off the network only for a brief moment, on the internal network as well as the external network.
For example, if I connect to the server with PowerTerm (winxp terminal emulation app) on monday I may have no problems till Wednesday morning, on wednesday morning I will run Powerterm and it will not be able to access the server on the first attempt. However if I open a secondary window it will access the server with no problem.
Similarly, on the Neoware dumb terminal, if I can not connect I will have to reboot to get a connection.

I checked  the logs on both the switch and they have been up for 20 days. I also checked the Sco logs and there was nothing special, only the link went up and down when we replaced the 2 switchs 20 days ago.

Finally I have installed an Ubuntu Linux box as a test machine with Cacti and Wireshark, I mirrored the port on the switch that the sco box is plugged into and I'm using wireshark to sniff the packets and cacti to graph the usagage through the mirrored port on my test box.

So my questions are.
1. WHat should I look for in wireshark to determine the problem.
2. What else can I do to find out what the problem is.
Question by:marcum
  • 3
  • 2
LVL 29

Accepted Solution

Jan Springer earned 2000 total points
ID: 20329256
First look at the switch that the problem server is connected to.  Do you see any errors that may be due to bad NIC, cable, duplex/speed mismatch?
LVL 31

Expert Comment

ID: 20331553
(1) It has nothing to do with DHCP leases?
(2) There are no power management settings active in the SCO server?  (Look in the BIOS)

Author Comment

ID: 20331861
Jesper: I don't see any errors on the switch.

Moor: Ok, that is good to know, it doesn't help me to with searching through wireshark but it helps to eliminate some possibilities.

Another question, if the nic card on the Sco box is bad how can I tell and how can I monitor the CPU Usage on the ScoBox
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

LVL 31

Expert Comment

ID: 20333064
You can eliminate DHCP as being the problem by

(1)  Trying fixed IP's on devices

(2)  Using a different method of issuing DHCP.

(3)  Use different Lease time, use a short lease in conjunction with wireshark filtering

Use filters in Wireshark to home in on DHCP packets.  I believe (quick rummage on Google) that DHCP uses UDP Ports 67 and 68.  So setup a filter using that criteria.  

If you suspect the NIC is missing packets put another NIC in the SCO box (easier said than done in Unix, I know that much).  That reminds me: there was a bug with NIC's with Realtek chipsets missing packets some years ago: this was I emphasise some years ago - and it was the Windows drivers that needed to be tweaked, not relevant with Unix, but it might spark some research.

Author Comment

ID: 20341221
As an update, I analyzed the wireshark logs and basically what I'm seeing is the server is sending requests for missing packets, it's showing them out of sequence. However I can see the client sending the missing packets through the mirrored port to the server. So there is an issue some where on the server side. Now I have to figure out if the cable is bad (which I'm replacing), if the Nic is bad or if the server is being overloaded. I don't think it's being overloaded because according to Cacti I'm only showing peak traffic at 2Mbs and typical traffic is about 50Kbs. Right now the port is syncing up at a 1Gb, maybe I should force it to 100Mb.

So after all this, I'm going to say I should replace the cable and then the Nic
I'll know more on monday.
LVL 31

Expert Comment

ID: 20342032
I don't know how Cacti is monitoring performance, usually with these kind of things there is the "participant observer" effect to consider.  Cacti is governed by similar constraints to the problem being monitored, and therefore may be affected in a similar way.  The chronological order in which you are seeing "snooped" traffic is not necessarily gospel if it is coming from different sources.  However if the server is requesting missing packets then I would have thought this is a clear indicator of the nature of the problem.  

Re performance indicator: if you were to draw a graph of activity the mean of that graph might trundle along quite nicely at a reasonable value, but if that activity happens to occur all at the same time then  there may be a problem.  It is the times between the packets emanating from the same source that is important.  Slugging the system to 100Mb/s sounds like a grand idea, it might be a handshake/overflow problem.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many network operators, engineers, and administrators do not take several factors into consideration when troubleshooting network throughput and latency issues.  They often  measure the throughput by performing a measurement  by transferring a large…
Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question