troubleshooting dropped ftp connection via a leased line with Cisco routers


I have a point to point leased circuit link : both ends are Cisco 25xx routers.

Files transfer is initiated (put & get) from my end (a Linux) to a remote
Windows box (no other boxes at both ends can do files transfer :
restricted by routing / firewalls)

I've been facing intermittent ftp connection drops while a files transfer
is in progress & MRTG showed occasional bandwidth spikes that could
approach the max bandwidth.

Assuming I have no control over the remote end's cisco router & the
remote end Windows box, what's the best way to troubleshoot this?

a)I thought of running Linux "iftop" continuously on my Linux box to
   see what kind of traffic is passing thru the link

b)what about mirroring a port on the switch which the cisco router at
   my end connects its sole LAN link to?  How do I configure this 36xx
   cisco switch port for mirroring & how do I capture its traffic

What other things I can do narrow down this occasional "ftp connection
closed" in the midst of a files transfer (weirdly it can happen at 4am when
I don't expect much traffic) & the occasional spikes.

Would "show interface" on the cisco router reveal bad Telco links issue ?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:

The error of the ftp failure appended below:

=========================

(username) Verbose mode on.

Interactive mode off.

Local directory now /abc/temp

250 CWD command successful.

200 Type set to I.

local: file1.dat remote: file1.dat

227 Entering Passive Mode …………………

125 Data connection already open; Transfer starting.

426 Connection closed; transfer aborted.  ß---------

27815 bytes sent in 0.354 secs (77 Kbytes/sec)
sunhuxAuthor Commented:

Is there a tool in Redhat Linux that's the equivalent of Solaris'
 snoop

I'll probably do " snoop -d lan_interface | grep destination_addr_of_remote_end"
& save into a file
The--CaptainCommented:
tcpdump -l -n -s 0 -x -X -i any 'host destination_addr_of_remote_end' > /tmp/ftptrace

Cheers,
-Jon
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

sunhuxAuthor Commented:

> 426 Connection closed; transfer aborted.

Which are the logfiles (kindly provide directory & filename in my Linux ftp
client box & the remote end's Windows ftp server box) that I can look at
to investigate the above kind of sudden ftp connection abortion in the midst
of transfer. I have dozens of ftp transfer per day & after that 2 failed transfer
at about 4+am, all subsequent transfers are Ok.
sunhuxAuthor Commented:

> tcpdump -l -n -s 0 -x -X -i any 'host destination_addr_of_remote_end' > /tmp/ftptrace
Is the above command something that runs continuously?  Will need something or a
script that performs tcpdump once every 30 secs.

Btw, if the router/firewall in between only permit ftp to pass through (no ping & no
traceroute traffic permitted), would the tcpdump work?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The--CaptainCommented:
tcpdump is a sniffer for linux.  Here's a breakdown of the arguments:

-l : line buffered output
-n : do not inversely resolve IPs
-s 0 : no limit on size of packet capttured
-x : output in hex
-X : also output in ascii
-i any : listen on all available interfaces
'host destination_addr_of_remote_end' : only capture traffic associated with
                                                                destination_addr_of_remote_end

Yes, it runs continuously, capturing traffic until you stop it.  The command I supplied dumps the output in /tmp/ftptrace

It will at least capture traffic local to your machine, so it should capture your FTP traffic (since you're running a local FTP client).

-Jon
sunhuxAuthor Commented:

Is there any option / parameter to for tcpdump to run only for a duration of time as
I'm afraid the logs will overgrow.

I plan to put in in a script & use nohup script_name & 
so that tcpdump runs in background but I'll need to run
it for the next 24 hrs only
The--CaptainCommented:
`tcpdump -l -n -s 0 -x -X -i any 'host destination_addr_of_remote_end' > /tmp/ftptrace` ; sleep some_amount_of_time_in_seconds ; killall -9 tcpdump

-Jon

The--CaptainCommented:
you can also use the -c option with tcpdump to specify a maximum number of packets to be captured, then exit.

-Jon
sunhuxAuthor Commented:


Thanks very much.

I've decided to use
   tcpdump -c 999999 -s 0 -i any host destination_IP_addr
as -n, -x & -X  gives quite some complicated outputs.

Will close this thread.

Once I got the outputs, will raise another thread/question for analysis
The--CaptainCommented:
Don't forget the single-quotes around 'host destination_IP_addr' - might not be necessary in this case, but they're supremely helpful when you start using && and ! characters in your capture filter expressions.

-Jon
sunhuxAuthor Commented:
Excellent, thanks very very much
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.