Wireshark-users: Re: [Wireshark-users] Using Wireshark for a DSL "link no surf" problem [UPDATE]

Date Prev · Date Next · Thread Prev · Thread Next
From: Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx>
Date: Wed, 02 Jul 2014 18:46:02 -0400
Just wanted to update the community on my problem (which has been resolved). It had nothing to do with PPPoE after all. It seems that my ISP, Megaputz/Megapath, changed the VPI/VCI numbers for my circuit from 0/35 (the default) to 0/40 and had set my DSL modem remotely. I suspect that Tier 1 tech support foolishly remotely reset my DSL modem to defaults without taking into consideration the VPI/VCI settings, thus completely knocking me offline. When Megaputz sent out a tech with a new DSL modem because the ISP's tech support Tier 1, Tier 2, NOC Operations Team and Network Engineer all insisted it was due to "CPE failure" (despite having sent them screenshots of the Broadxent/Innoband DSL modem's setup screens where the VPI/VCI settings were prominently displayed), he also couldn't connect until he noticed that the VPI/VCI was set to 0/40 instead of the new modem's 0/35 (it seems 0/35 is the factory default for most modems since the new and the old modem were from different manufacturers--ZyXEL versus Broadxent/Innoband, respectively). Once he set the VPI/VCI settings to 0/40 to match the circuit (I watched him like a hawk and he changed nothing else), I was back up instantly. Examining the setup screens of the old Broadxent/Innoband modem which Megaputz claimed to be defective, I noticed that its VPI/VCI was also set to 0/35. Since I had no admin passwords, that is not something I could have set or reset. And I didn't reset it to defaults myself.

This segues to my next question: Is there any way to use Wireshark to ascertain the VPI/VCI of the ATM circuit from the Layer 2 packets that were said to have been flowing? Or must I have specialized software or hardware to do this? I noticed that the rep had nothing more than his laptop connected via ethernet cable to the DSL modem when he noticed the different VPI/VCI settings on a possibly in-house-only software running on it.

On 6/19/14 03:36, Martin Visser wrote:
There seems to be a lot of contradicting answers on this thread. PPPoE
is used for authentication AND  link negotiation (ie providing IP
addresses) AND encapsulation. If you have a PPPoE modem in passthrough
(which is what it sounds you are doing), the modem is just pretty much
doing physical level translation between your DSL and Ethernet, and then
your router (normally) is establish the PPPoE session. If you aren't
able to capture traffic at the router and/or want to test locally you
can use a PPPoE client on a laptop, for instance, and which also can run
wireshark. Not sure what you have a available, but if you plug your
Windows laptop into your modem directly, and then run through the
Internet connection wizard (as per the example here -
http://www.tp-link.com.au/article/?faqid=339 ) while running Wireshark
you may have a better clue as to what is going on (or not).


Regards, Martin

MartinVisser99@xxxxxxxxx <mailto:MartinVisser99@xxxxxxxxx>


On 19 June 2014 16:14, Kok-Yong Tan <ktan@xxxxxxxxxxxxxxxxxxx
<mailto:ktan@xxxxxxxxxxxxxxxxxxx>> wrote:

    The service provider doesn't use DHCP to hand out my static IPs.  I
    was assigned them via an email.  The DHCP server is on the DSL modem
    (not the DSLAM) and it hands out a single IP address in the
    192.168.1.0/24 <http://192.168.1.0/24> private range, namely
    192.168.1.10.  This is known as out-of-band management and only used
    for accessing the DSL modem itself and nothing else.  The actual
    static addresses I'm assigned are in the public range while my DSL
    modem is supposedly set to bridging mode, i.e., it's not in the
    10.0.0.0/8 <http://10.0.0.0/8>, 172.16.0.0/12 <http://172.16.0.0/12>
    or 192.168.0.0/16 <http://192.168.0.0/16> ranges.

    --
    Reality Artisans, Inc. #   Network Wrangling and Delousing
    P.O. Box 565, Gracie Station #   Apple Certified Consultant
    New York, NY 10028-0019 #   Apple Consultants Network member
    <http://www.realityartisans.com <http://www.realityartisans.com/>>#
       Apple Developer Connection member
    Cell: (646) 327-2918#   Ofc: (212) 369-4876

    On Jun 18, 2014, at 21:02 , Frank Bulk <frnkblk@xxxxxxxxx
    <mailto:frnkblk@xxxxxxxxx>> wrote:

    If your service provider uses DHCP to hand out those “static” IPs,
    or their access gear allows that IP address to be entered (which
    is the case with our vendor’s gear), the access gear prevents
    someone else taking your static IP.____
    Frank____
    *From:*wireshark-users-bounces@xxxxxxxxxxxxx
    <mailto:wireshark-users-bounces@xxxxxxxxxxxxx> [mailto:wireshark-
    <mailto:wireshark->users-bounces@xxxxxxxxxxxxx
    <mailto:users-bounces@xxxxxxxxxxxxx>]*On Behalf Of*Kok-Yong Tan
    *Sent:*Wednesday, June 18, 2014 1:58 PM
    *To:*Community support list for Wireshark
    *Subject:*Re: [Wireshark-users] Using Wireshark for a DSL "link no
    surf" problem____
    __ __
    Yes, I understand why they gave me a /24 but with a /24, all it
    takes is for somebody else on the same subnet to accidentally (not
    intentionally or maliciously for obvious reasons) take my static
    IP and thus blow me out of the water without affecting them too
    much.  I had this happen once.  With a subnet between /24 and /30,
    they'd notice when their accidentally typo-ed IP address didn't
    work because it didn't match their gateway info. ____
    -- ____
    Reality Artisans, Inc. #   Network Wrangling and Delousing
    P.O. Box 565, Gracie Station #   Apple Certified Consultant
    New York, NY 10028-0019 #   Apple Consultants Network member
    <http://www.realityartisans.com
    <http://www.realityartisans.com/>>#   Apple Developer Connection
    member____
    Cell: (646) 327-2918#   Ofc: (212) 369-4876____
    __ __
    On Jun 18, 2014, at 10:59 , "Jamie O. Montgomery"
    <Jamie.Montgomery@xxxxxxxxxxxxx
    <mailto:Jamie.Montgomery@xxxxxxxxxxxxx>> wrote:____


    ____

        PPPoE is used for authentication. If you have a static IP,
        they know who has it and you don't need authentication. PPPoE
        would be the termination point for the address, but since it
        will reside on your firewall, the modem needs to bridge the
        dsl network to the Ethernet network on the public side if the
        firewall____
        __ __

        They give you a /24 because they'd be burning up more IPv4
        addresses giving you a smaller subnet. Other static IP
        customers use addresses in that subnet along with you. ____

        *Jamie Montgomery | Comporium*____

        Network Facilities Engineering | Engineering Associate II____

        www.comporium.com <http://www.comporium.com/>____

        jamie.montgomery@xxxxxxxxxxxxx
        <mailto:jamie.montgomery@xxxxxxxxxxxxx>____



        ____

        /The information contained in this e-mail message and any
        attachments thereto are confidential, privileged, or otherwise
        protected from disclosure, and are intended for the use of the
        individual or entity named above. Dissemination, distribution
        or copying of this message and any attachments by anyone other
        than the intended recipient, or an employee or agent
        responsible for delivering the message to the intended
        recipient, is prohibited. If you have received this
        communication in error, please immediately notify the sender
        by telephone or e-mail and destroy the original message,
        attachments, and all copies./____


        On Jun 18, 2014, at 1:34 PM, "Kok-Yong Tan"
        <ktan@xxxxxxxxxxxxxxxxxxx <mailto:ktan@xxxxxxxxxxxxxxxxxxx>>
        wrote:____

            No, the DSL modem is bridging, not routing.  I've been
            assigned two static IPs (although they've given me a /24
            net mask!!!) and my firewall is assigned one of them.  The
            firewall is connected directly to the DSL modem by Cat6
            patch cable.  The other IP is unused (I use it for testing
            VPN configurations).____
            __ __
            I'm not sure but since the Broadxent Briteport is a PPPoE
            modem, I assume PPPoE.  But the tech says that's not
            correct (WTF?).  And he can't explain what they use.
             Sigh.____
            -- ____
            Reality Artisans, Inc. ____
            #   Network Wrangling and Delousing
            P.O. Box 565, Gracie Station ____
            #   Apple Certified Consultant
            New York, NY 10028-0019 ____
            #   Apple Consultants Network member
            <http://www.realityartisans.com
            <http://www.realityartisans.com/>>____
            #   Apple Developer Connection member____
            Cell: (646) 327-2918____
            #   Ofc: (212) 369-4876____
            __ __
            On Jun 17, 2014, at 22:13 , Pedro Tumusok
            <pedro.tumusok@xxxxxxxxx <mailto:pedro.tumusok@xxxxxxxxx>>
            wrote:____


            ____

                Well if the tech can see stuff, its not what I thought
                might be the problem, which was PVC settings.____
                __ __
                But does your modem get an IP address, ie is it setup
                as a router or does your computer get the ip address?____
                Are you using PPPoA/PPPoE etc?____

                __ __

                On Wed, Jun 18, 2014 at 5:52 AM, Frank Bulk
                <frnkblk@xxxxxxxxx <mailto:frnkblk@xxxxxxxxx>> wrote:____

                    Some Comtrend modems can do a port mirror of the
                    WAN (DSL) side.

                    Frank____


                    -----Original Message-----
                    From:wireshark-users-bounces@xxxxxxxxxxxxx
                    <mailto:wireshark-users-bounces@xxxxxxxxxxxxx>
                    [mailto:wireshark-users-bounces@xxxxxxxxxxxxx
                    <mailto:wireshark-users-bounces@xxxxxxxxxxxxx>] On
                    Behalf Of Kok-Yong Tan
                    Sent: Tuesday, June 17, 2014 4:53 PM
                    To: Community support list for Wireshark
                    Subject: Re: [Wireshark-users] Using Wireshark for
                    a DSL "link no surf"
                    problem


                    > On Jun 17, 2014, at 14:28, Jaap Keuter
                    <jaap.keuter@xxxxxxxxx
                    <mailto:jaap.keuter@xxxxxxxxx>> wrote:
                    >
                    >> On 06/17/2014 08:42 PM, Kok-Yong Tan wrote:
                    >> Is it possible to use Wireshark to troubleshoot
                    a DSL "link no surf"
                    problem?  The ISP insists it's a CPE issue but the
                    problem only started
                    after their Tier 1 tech monkeyed with the DSLAM
                    and/or the CPE (remotely) in
                    some manner.  I find it suspicious that the
                    problem was intermittent packet
                    loss until they tinkered, whereupon the problem
                    became a "link no surf"
                    issue (i.e., there's Layer 2 connectivity but zero
                    Layer 3 traffic passing).
                    >
                    > Depends on what you can trace in the CPE, as in,
                    how close to the DSL
                    interface.
                    > Otherwise you'll need capture hardware on the
                    DSL....
                    >
                    > Good luck,
                    > Jaap
                    >

                    I can get up to the DSL modem itself.  In
                    hindsight, I'm thinking this isn't
                    going to be of much use and the only way to debug
                    this is with capture
                    hardware on the DSL side as you suggested.  Drat.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature