We help IT Professionals succeed at work.


lolaferrari asked
I recevie tcp/ip timeouts on one interface for a certain tcp port between two ip addresses using tcp/ip. the tcp/ip connection is being dropped intermittently. does anyone know how best to monitor for this with tshark. what would be the best capture to monitor for a connection that has died or timed out?
Watch Question

nociSoftware Engineer
Distinguished Expert 2019

You need to capture on BOTH sides, and besides the traffic at hand you need to look for TCP Resets or ICMP packets that indicate various invalid host, no route to host or such.
If it isn't too much capture everything..., otherwise at least the TCP session identified with ports host and ALL ICMP traffic.  (You may miss the ICMP is the come from something a little more near to your system otherwise).

I did have trouble in the past where a DSL line would drop the connection when it got loaded and cause to many ATM-layer fault, all connection (externaly) were actively removed because the DSLAM of the ISP would send a "No Route available" to all my connected site, causing a total breakdown in communication ins tead of only anoying pauses.
Duncan RoeSoftware Developer

Personally I would still use tcpdump. To make sense of the traces from both systems, it's essential that their clocks are synchronised - I use netdate (if it's not in your distribution, connect to http://www.rpmfind.net and look for netdate).
Software Engineer
Distinguished Expert 2019
It helps if the clocks are synchronised but timestamps are taken i micro seconds now, and that level of accuracy just isn't available.
For synchronisation it is also possible to use a known packet sequence (ipaddres/port) pair for both send & receiver.

It does help to known howmuch difference there is between clock by limiting the search window.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.