Wireshark-users: [Wireshark-users] Network disconnects

From: "Andy Alguire" <AAlguire@xxxxxxxxx>
Date: Tue, 12 Feb 2008 11:47:53 -0600
Here are the symptoms:

- user workstations freeze and access to shared drives and email terminates
- interruption typically lasts 10 to 30 seconds
- interruptions occur rarely and randomly during the day, but consistently at day end (4:30 to 6PM) 
- most users have left the building by 5PM but interruptions continue until 6PM and sometimes later
- when users leave they logout and shut down their PCs
- Novell 6.5 network with several Windows 2000 application servers
- Novell GroupWise email
- Nortel Baystack workstation switches connected via switch backplanes
- Cisco 3750 core switch
- 1 server Vlan and 1 workstation Vlan

- to date we have upgraded Netware client on all workstations, upgraded firmware and software on switches, and eliminated legacy D-Link switches 
- network performance is excellent until the interruptions occur
- we are considering the possibility of an environmental cause but nothing obvious has come to light

Any help would be appreciated.

Thanks


>>> <wireshark-users-request@xxxxxxxxxxxxx> 2/12/2008 6:01 AM >>>
Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx 

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.wireshark.org/mailman/listinfo/wireshark-users 
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx 

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx 

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."


Today's Topics:

   1.  Packet Capture (Fausto Oliveira)
   2. Re: where to see transfered data (Sake Blok)
   3. Re: Packet Capture (Sake Blok)


----------------------------------------------------------------------

Message: 1
Date: Tue, 12 Feb 2008 10:33:20 +0000
From: "Fausto Oliveira" <fausto.j.oliveira@xxxxxxxxx>
Subject: [Wireshark-users]  Packet Capture
To: wireshark-users@xxxxxxxxxxxxx 
Message-ID:
	<f0174b2c0802120233v4c77cb0do208ef7757cad0eab@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

Hello,

Could it be that you are experiencing some kind of STP loop ? What kind of
switches/Hubs you are using ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.wireshark.org/lists/wireshark-users/attachments/20080212/657ea57d/attachment.html 

------------------------------

Message: 2
Date: Tue, 12 Feb 2008 11:47:24 +0100
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] where to see transfered data
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii

On Tue, Feb 12, 2008 at 02:17:39AM -0800, J V wrote:
>    
>   I'm new in Wireshark and have one question. Where to see data I transfer?
>   Question is because I tranfer by ftp 90 bytes BMP file with appropriate capture
>   filtr. When look to packet detail frame I see
>   Frame 4 .... 118 bytes captured, but inside there is nothing around 90 bytes
>   The biggest block is 64 bytes (Opening binary mode data......)

The FTP protocol is a tricky protocol as it uses a control connection and
separate data connections. If you use the capture filter "ftp" you will 
only see the data in the control connection (client:highport -> server:21).
You can use the capture filter "ftp-data" to capture the data-connections
(server:20 -> client:other-high-port).

But... if passive ftp is used, the data connections are set up on random
ports (server:highport -> client:other-highport). In which case the 
capture filter "ftp or ftp-data" will not even help you. You will then have 
to capture all (tcp) traffic between the client and the server and do
the filtering later by hand.

Hope this helps,
Cheers,
    Sake


------------------------------

Message: 3
Date: Tue, 12 Feb 2008 12:06:10 +0100
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Packet Capture
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii

On Mon, Feb 11, 2008 at 05:44:35PM -0600, Andy Alguire wrote:
> Hello I need help in figuring out this capture. We are seeing 
> network disconnect daily,

What do you mean when you say "network disconnect"? What are the
symptoms?

> primarily at end of day when users are logging out.

Are the users turning off their PC's? Or are they just logging out
from their OS?

> I would really appreciate some help as I have 
> hired professionals to analyze the network and they have come 
> up with nothing. Thanks

Not even an action plan to pinpoint the problem? Shame on them!

> 55868	18793.777250	10.8.72.31	10.8.74.158	TCP	[TCP Previous segment lost] [TCP segment of a reassembled PDU]
> 
> 56005	18846.010073	10.8.72.31	10.8.74.105	TCP	[TCP Previous segment lost] [TCP segment of a reassembled PDU]

These selected packets do not tell much without their context. It
just tells you that there were some packets missing in the capture
file. They could have also been absent on the network or they could
just have not been seen by the capture program.

Cheers,
    Sake


------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx 
http://www.wireshark.org/mailman/listinfo/wireshark-users 


End of Wireshark-users Digest, Vol 21, Issue 31
***********************************************