Wireshark Capture Analysis

Question

There is an application which runs smoothly but, during random intervals the application fails. There nothing int the servers or appllication and the problem is directed towrds network with a wireshark capture. I give below some of the captured packets and hoping that some clues would be posted through this forum as I am unfamiliar with interpreting the output.

737783, "13237.043511"  ,"Vmware_57:a4  :2a","Broadcas  t","0x8 922",   "77","Ethernet II"
737784, "13237.051094"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "62",   "[TCP Port numbers reused] ovtopmd > ms-sql-s [SYN] Seq=0 Win=64240 Len=0 MSS=1460
SACK_PE RM=1"                

737785, "13237.055775"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TCP", "62",   "ms-sql-s > ovtopmd [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 SACK_PERM=1"
737786, "13237.055795"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "54",   "ovtopmd > ms-sql-s [ACK] Seq=1 Ack=1 Win=64240 Len=0"
737787, "13237.056195"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "258"   ,"TDS7 login"
737788, "13237.067079"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TDS", "439"   ,"Response"
737789, "13237.091552"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "118"   ,"SQL batch"
737790, "13237.092148"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "62",   "[TCP Port numbers reused] snifferserver > ms-sql-s [SYN] Seq=0 Win=64240 Len=0 MSS=146 0 SACK_PERM=1"               

737791, "13237.095027"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TDS", "71",   "Response"
737792, "13237.095163"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "106"   ,"SQL batch"
737793, "13237.095369"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TCP", "62",   "ms-sql-s > snifferserver [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1380 SACK_PERM=1"
737794, "13237.095384"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "54",   "snifferserver > ms-sql-s [ACK] Seq=1 Ack=1 Win=64240 Len=0"
737795, "13237.095744"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "258"   ,"TDS7 login"
737796, "13237.098584"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TDS", "82",   "Response"
737797, "13237.098698"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "118"   ,"SQL batch"
737798, "13237.100706"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TDS", "439"   ,"Response"
737799, "13237.102516"  ,"172.18.3.25"  ,"10.61.67.47"  ,"TDS", "71",   "Response"
737800, "13237.103375"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "118"   ,"SQL batch"
737801, "13237.103889"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "1434   ","[TCP segment of a reassembled PDU]"
737802, "13237.103906"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TDS", "801"   ,"Remote Procedure Call"
737803, "13237.104403"  ,"10.61.67.47"  ,"172.18.3.25"  ,"TCP", "62",   "[TCP Port numbers reused] combox-web-acc > ms-sql-s [SYN] Seq=0 Win=64240 Len=0

Answer 1

Sorry buddy, but what you are looking for is serious network consulting / analysis. This Q&A is dedicated to people having specific questions about wireshark and/or network analysis and everybody here answers on his own time, so sorry for making that statement.

From your point saying that you're "unfamiliar with interpreting the output", you should either get help by hiring someone doing netw.analysis or start looking at several good websites/tutorials on how to get started with wireshark.

If you have a specific question regarding the output of your sniffer, feel free to ask it here again.

Oh BTW: Give me two cents for every time I heard "There is nothing wrong with server/application, it MUST be the network", you better don't rely on this unless you found a network-based problem ;)

Answer 2

0

I second what Landi said, and would like to ask: how do you know the problem is within the few packets you provided?

Anyway, there is one message, that calls for trouble: 'TCP Port numbers reused'. However, based on the few samples you posted, no further analysis is possible.

Please ask your application developers why the application (or the OS) is re-using TCP Ports and if that could cause any trouble.

So, maybe it's not the network, but rather the application (or OS) ;-))

Regards
Kurt

answered 09 May '12, 01:08

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 09 May '12, 02:27

Also look at any device that performs natting or loadbalancing (which basically is natting as well). Theses devices might be re-using port numbers to quickly too.

It could also be that your trace is just very large (I see 700K+ packets) and the port number rotation is not a problem at all.

As said before, Network Analysis is not a triviality that can be done on couple of packets. For specific questions (like "What does [TCP port numbers reused] mean?") you can always ask here. If you want your problem analyzed for you, you can always hire someone (even people from here) to do it for you.

(09 May '12, 05:50) SYN-bit ♦♦

Thanks for the comments..This is only a portion of capture and the rest of it also looks similar. This does not have natting or load balancing and goes through only an ASA fw which is having default config for the traffic. It too does not show any anomally. The frequency of break down happens intermittenly and no packet drop observed during those times. But there are maformed packets throuhgout the capture.rgds - NizamSri

(09 May '12, 16:46) NizamSri

Ah, a firewall...

Well, let's go back to the 'TCP Port numbers reused' message. If that is really a problem (and not just caused by the large capture file), then your firewall might occasionally drop single connection requests if the port reuse is to fast. This usuallys happens, when there is still a connection record in the firewalls state table. So, I suggest to look for unanswerd SYN packets (firewall drop) and/or for TCP RESET (firewall reject) in the capture file.

See here (and others in the forum) to find unanswered SYNs.
http://ask.wireshark.org/questions/10640/how-to-find-syn-not-followed-by-a-synack?page=1#10641

Regards
Kurt

(10 May '12, 02:08) Kurt Knochner ♦