Wireshark-users: [Wireshark-users] Network disconnects
From: "Andy Alguire" <AAlguire@xxxxxxxxx>
Date: Tue, 12 Feb 2008 11:47:53 -0600
Here are the symptoms: - user workstations freeze and access to shared drives and email terminates - interruption typically lasts 10 to 30 seconds - interruptions occur rarely and randomly during the day, but consistently at day end (4:30 to 6PM) - most users have left the building by 5PM but interruptions continue until 6PM and sometimes later - when users leave they logout and shut down their PCs - Novell 6.5 network with several Windows 2000 application servers - Novell GroupWise email - Nortel Baystack workstation switches connected via switch backplanes - Cisco 3750 core switch - 1 server Vlan and 1 workstation Vlan - to date we have upgraded Netware client on all workstations, upgraded firmware and software on switches, and eliminated legacy D-Link switches - network performance is excellent until the interruptions occur - we are considering the possibility of an environmental cause but nothing obvious has come to light Any help would be appreciated. Thanks >>> <wireshark-users-request@xxxxxxxxxxxxx> 2/12/2008 6:01 AM >>> Send Wireshark-users mailing list submissions to wireshark-users@xxxxxxxxxxxxx To subscribe or unsubscribe via the World Wide Web, visit http://www.wireshark.org/mailman/listinfo/wireshark-users or, via email, send a message with subject or body 'help' to wireshark-users-request@xxxxxxxxxxxxx You can reach the person managing the list at wireshark-users-owner@xxxxxxxxxxxxx When replying, please edit your Subject line so it is more specific than "Re: Contents of Wireshark-users digest..." Today's Topics: 1. Packet Capture (Fausto Oliveira) 2. Re: where to see transfered data (Sake Blok) 3. Re: Packet Capture (Sake Blok) ---------------------------------------------------------------------- Message: 1 Date: Tue, 12 Feb 2008 10:33:20 +0000 From: "Fausto Oliveira" <fausto.j.oliveira@xxxxxxxxx> Subject: [Wireshark-users] Packet Capture To: wireshark-users@xxxxxxxxxxxxx Message-ID: <f0174b2c0802120233v4c77cb0do208ef7757cad0eab@xxxxxxxxxxxxxx> Content-Type: text/plain; charset="iso-8859-1" Hello, Could it be that you are experiencing some kind of STP loop ? What kind of switches/Hubs you are using ? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.wireshark.org/lists/wireshark-users/attachments/20080212/657ea57d/attachment.html ------------------------------ Message: 2 Date: Tue, 12 Feb 2008 11:47:24 +0100 From: Sake Blok <sake@xxxxxxxxxx> Subject: Re: [Wireshark-users] where to see transfered data To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii On Tue, Feb 12, 2008 at 02:17:39AM -0800, J V wrote: > > I'm new in Wireshark and have one question. Where to see data I transfer? > Question is because I tranfer by ftp 90 bytes BMP file with appropriate capture > filtr. When look to packet detail frame I see > Frame 4 .... 118 bytes captured, but inside there is nothing around 90 bytes > The biggest block is 64 bytes (Opening binary mode data......) The FTP protocol is a tricky protocol as it uses a control connection and separate data connections. If you use the capture filter "ftp" you will only see the data in the control connection (client:highport -> server:21). You can use the capture filter "ftp-data" to capture the data-connections (server:20 -> client:other-high-port). But... if passive ftp is used, the data connections are set up on random ports (server:highport -> client:other-highport). In which case the capture filter "ftp or ftp-data" will not even help you. You will then have to capture all (tcp) traffic between the client and the server and do the filtering later by hand. Hope this helps, Cheers, Sake ------------------------------ Message: 3 Date: Tue, 12 Feb 2008 12:06:10 +0100 From: Sake Blok <sake@xxxxxxxxxx> Subject: Re: [Wireshark-users] Packet Capture To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii On Mon, Feb 11, 2008 at 05:44:35PM -0600, Andy Alguire wrote: > Hello I need help in figuring out this capture. We are seeing > network disconnect daily, What do you mean when you say "network disconnect"? What are the symptoms? > primarily at end of day when users are logging out. Are the users turning off their PC's? Or are they just logging out from their OS? > I would really appreciate some help as I have > hired professionals to analyze the network and they have come > up with nothing. Thanks Not even an action plan to pinpoint the problem? Shame on them! > 55868 18793.777250 10.8.72.31 10.8.74.158 TCP [TCP Previous segment lost] [TCP segment of a reassembled PDU] > > 56005 18846.010073 10.8.72.31 10.8.74.105 TCP [TCP Previous segment lost] [TCP segment of a reassembled PDU] These selected packets do not tell much without their context. It just tells you that there were some packets missing in the capture file. They could have also been absent on the network or they could just have not been seen by the capture program. Cheers, Sake ------------------------------ _______________________________________________ Wireshark-users mailing list Wireshark-users@xxxxxxxxxxxxx http://www.wireshark.org/mailman/listinfo/wireshark-users End of Wireshark-users Digest, Vol 21, Issue 31 ***********************************************
- Follow-Ups:
- Re: [Wireshark-users] Network disconnects
- From: Alan Emery
- Re: [Wireshark-users] Network disconnects
- From: Hansang Bae
- Re: [Wireshark-users] Network disconnects
- Prev by Date: [Wireshark-users] Cant decode a SIP/SDP VOIP call
- Next by Date: [Wireshark-users] Wireshark-users: Re: How to let wireshark capture one application packets
- Previous by thread: Re: [Wireshark-users] Cant decode a SIP/SDP VOIP call
- Next by thread: Re: [Wireshark-users] Network disconnects
- Index(es):