Solved

FTP Problem through a switch

Posted on 2012-04-09
13
452 Views
Last Modified: 2012-04-11
Experts,
 I need an expert to read a wireshark and let me know what you think may be causing my FTP data not to transfer after 50%


Thanks,

TamscoDan
FTP-ERROR.csv
0
Comment
Question by:TAMSCODAN
  • 7
  • 5
13 Comments
 
LVL 28

Expert Comment

by:Bill Bach
Comment Utility
Can you post the original PCAP file?  Analyzing a network via Excel is kind of like driving a cow to work.  It might be possible, but it's REALL slow going...
0
 
LVL 28

Expert Comment

by:Bill Bach
Comment Utility
The first part of the failure shows that the ACK's simply start to stall out.  Either the receiver is too slow to process the data, or something is blocking the ACK packets:

Screen1
I indicated for each ACK which packet it is ACKing with the arrow.  The retransmissions at the end show that it is having lots of problems, and it is already stalling out.  A little while later, the same thing happens (but it is not as clear without being able to drill down into the TCP layer) and the transfer simply stops.

My guess?  Something is hampering the flow of data (the 64-byte ACK packets) from the target back to the source.  Could be as simple as a bad cable, traffic shaping on a link, or even a misconfiguration of duplex settings.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
I'd also check that there's not an MTU issue.

From a command prompt (assuming you're using Windows) try this...

ping <ftpserverip> -f -l 1460

Open in new window


If you get this...

Packet needs to be fragmented but DF set.

...there is a problem with MTU.
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
I have atatched the PCAP you will need to add the extension since it would not let me load it. It is zipped.
FTP-ERROR.zip
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
One interesting test that we did do is that we put in a media converter and connected it into one of the copper ports of the switch and the transfer worked just fine. Than I looked at the specifications of the Media converter and found that the Media converter is rated at a distance of 2km where as the SFP that it was originally connected too was rated to 4Km. Do you think that the laser may be overpowering the rx port on the other end? wavelength is the same.
0
 
LVL 28

Accepted Solution

by:
Bill Bach earned 500 total points
Comment Utility
That makes it easier to see the exact combination of ACKs:

ScreenShot
Here, we see the TCP window is still around 2900 bytes (two packets), which seems very small (must be an older OS on the target side).  Again, I've highlighted the ACKs for the data packets so you can see what is being ACKed.  Notice, though, the Delta Time column -- there is already an incredible time delay in these packets, with some replies coming many seconds after the requests, causing retransmissions.  

If you look deeply, however, it looks like things SHOULD be still under-way: the ACK is for 541961 (meaning that the target wants this packet next), and we see the exponential fallback as expected (right at the end in the retransmissions) as the source tries to re-send packet 541961 over and over again, but the target just keeps ACKing the same 541961 over and over again, very slowly.  This tells us that it is not receiving the data for some reason.

My guess is that the TCP stack on the target is a bit outdated.  You don't describe the network setup in detail, so coming to a conclusion is all but impossible.  For example, I *never* would have suggested to change out a media converter because you never mentioned that there was one in the loop!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
Topology is:

(END DEVICE A) ----via copper-----(Switch with Copper and Fiber)--------Fiber----------(FTP SERVER)
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
Initially there was no media converter, we used it to test therfore we connected the FTP server that was on the fiber and converted the FIBER to a copper connection so it worked fine that way. So this demostrates there was an issue with the SFP, however I would like to know what was the issue or how to figure this out via the wireshark capture. Great explanantion though!!!!
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
How can i get the Delta colum on wireshark?
0
 
LVL 28

Expert Comment

by:Bill Bach
Comment Utility
Easy way: Select Edit / Time Display Format / Seconds Since Previous Displayed Packet (This changes the TIME field to the delta time)
Hard Way: Edit the entire column list, add a new column, rename it to Delta Time, and specify the item for Delta Time. (This allows you to have BOTH times shown, like I do.)

You can also show JUST the important traffic by right-clicking on an FTP packet, selecting Filter Conversation / TCP.
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
What prompted you to say incredible time delays? Sorry for all the questions. What should I expect for time delay?
0
 
LVL 28

Expert Comment

by:Bill Bach
Comment Utility
While the process is running normally (towards the beginning of the process), you'll note the time delay is within a few ms each packet.  By the time it starts failing and the retransmissions start, it is taking over 1/4 second for each ACK (this lack of an ACK is what triggers the retransmission), and subsequent retransmissions are taking SEVERAL seconds.  This is an eternity as far as computers are concerned.
0
 
LVL 3

Author Comment

by:TAMSCODAN
Comment Utility
Thank you for all this good info!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now