Wireshark-users: [Wireshark-users] FTP Timeout Troubleshooting

From: "Jonathan S. Abrams" <hociman@xxxxxxxxxxx>
Date: Sun, 09 May 2010 23:14:58 -0400
Hello,

I am trying to troubleshoot an issue with connecting to an FTP server, and have captured some packets that match a theory I have that the issue is related to a timeout. I am hoping that someone can either explain to me what this data means or point me in the right direction towards interpreting it.

When I initiated a connection to the FTP server in question, the following packets caught my attention.

No. Time Source Destination Protocol Info 23 10.212754 SERVER ME TCP ftp > 49497 [ACK] Seq=336 Ack=33 Win=524280 Len=0 TSV=113977199 TSER=777016821

No. Time Source Destination Protocol Info 24 11.057690 SERVER ME TCP 57314 > ident [SYN] Seq=0 Win=65535 Len=0 MSS=1460

No. Time Source Destination Protocol Info 25 19.073737 SERVER ME TCP 57314 > ident [SYN] Seq=0 Win=65535 Len=0 MSS=1460

No. Time Source Destination Protocol Info 26 35.105752 SERVER ME TCP 57314 > ident [SYN] Seq=0 Win=65535 Len=0 MSS=1460

No. Time Source Destination Protocol Info
     27 40.232279   SERVER         ME        FTP-DATA FTP Data: 85 bytes

No. Time Source Destination Protocol Info 28 40.232321 ME SERVER TCP 49497 > ftp [ACK] Seq=33 Ack=421 Win=524280 Len=0 TSV=777017121 TSER=113977499

Here is why I think it is a timeout issue. I am using Mac OS X, and when I use Transmit to connect to this server, it takes about 31 seconds to connect, but it does connect. Transmit does not have a timeout preference that I can find, so as long as I wait patiently, it connects. If I use Cyberduck, with its defaults, it will not connect. If I change the Cyberduck timeout preference to 31 seconds, it does connect. If you look at the times on the packets above, you will see the first packet I pasted here has a time of 10.212754. The next packet coming from ME going to the SERVER occurs at 40.232321, which is more than 30 seconds after the first server packet. As such, if I don't adjust Cyberduck's default timeout preference to a higher value, Cyberduck does not connect. This packet capture was done using Cyberduck, with its timeout preference set to 31 seconds, so I was able to connect successfully.

Ultimately what I would like to do is get the time between packet 23 and packet 28 to be less than 30 seconds. This way nobody will have to adjust their timeout preference if they are using Cyberduck to connect to this server. Does any of the packet data here suggest what I might be able to do to achieve that? Any insights are appreciated.

Thanks for reading!

Jonathan S. Abrams