Wireshark-users: Re: [Wireshark-users] Windows server becomes unavailable on the network.

From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Thu, 2 Dec 2010 10:39:56 +1100
My first point of call would be the event logs available on the server - so fire up Event Viewer and look for any forensic information there. Some applications allow you to increase the verbosity of their logging, sometimes called a debug level, that will help pinpoint events leading to the crash.

While wireshark might help you understand whether network traffic triggered the crash, the reality is that applications *should* be written to handle any network traffic cleanly. TCP segments arriving out of sequence should be being handled by you IP stack. Applications that communicate via shared files usually need to incorporate good file and operation locking to ensure contention doesn't cause problems with multiple users.

If the server's shared drive dissappears off of the network I really would have thought there would be lot of events being reported by the Windows OS. 

At the very least you can hope to bundle up some of your captures and file them with your application vendor so they can determine what is going on. 

Regards, Martin

MartinVisser99@xxxxxxxxx


On Thu, Dec 2, 2010 at 1:47 AM, Tim Lewis <Tim.Lewis@xxxxxxxxxxx> wrote:

I have a Windows Server that is hosting an application that the clients access via mapped drive.  The application data and executable both reside on the server.  At least once daily, the server will become unavailable.  The users can’t access the data, the app crashed and the server is not pingable.  The workstation is pingable throughout as are all other network nodes.

 

I did a packet capture on both the server and one of the workstations (they are using a non-managed switch, so I can’t set up a span session or anything).  From the server side I see the server re-sending a lot of data between itself and the client.  On the client side I see the client seeing the transmissions as

out of sequence.

 

I have replaced the server’s patch cables, the switch and the NIC.

 

Any advice?





The information contained in this message (including all attachments) may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please notify us immediately and delete or destroy the material and information.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe