This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to detect a broken pipe using wireshark packet traces?

0

I am getting a broken pipe socket error, most probably the other end is not closing the connection because the other end timeout later when it does not receive any packets. How can I find this by looking at packet trace. In case if the other end(destination) is closing the connection, should I see rst message at point of failure. If a firewall is causing broken pipe, How to identify that in packet traces. If something is causing a broken pipe. How to identify the cause?

I am very new to using wireshark. I am not looking for exact solution to this problem. I will be glad to receive any suggestion which might help me to inch closer to solving this issue.

asked 13 Sep '12, 11:44

wireshark_shisya's gravatar image

wireshark_sh...
1114
accept rate: 0%

edited 13 Sep '12, 13:39

I am getting a broken pipe socket error,

where do you get that error message?

(17 Sep '12, 13:03) Kurt Knochner ♦

Hi Kurt, write system call returns -1 and when I read the errno, I see 32 (broken pipe).

(17 Sep '12, 13:17) wireshark_sh...

One Answer:

1

Hi Kurt, write system call returns -1 and when I read the errno, I see 32 (broken pipe).

O.K. that could mean, you're trying to write to a local socket that has been closed. So now, you need to figure out why the socket was closed. There are several reasons:

  1. the remote end closed it with a RST or FIN
  2. the OS closed it due to some timeout
  3. your code closed it, due to a bug
  4. the OS closed it due to resource exhaustion (rather unlikely)

Cause 1.:
You should see a FIN or RST in the network capture, coming from the remote end.

Cause 2.:
You should should see a FIN or RST, coming from your local machine (depends on the OS settings). Is there a longer period of inactivity when you try to write to the socket?

Cause 3.:
Well, start a debugger ;-)

Cause 4.:
Even harder to detect. If you're lucky, you'll see a FIN or RST in the network capture.

Regards
Kurt

answered 17 Sep '12, 13:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hello Kurt, Thanks for responding. In cause 4, why do you say if lucky, I will see a FIN or RST in the network capture.

(17 Sep '12, 13:37) wireshark_sh...

because if the OS runs into a resource exhaustion, you never know how it reacts, unless you study the source code of that specific OS ;-)

(17 Sep '12, 13:49) Kurt Knochner ♦

plus some staff to Case1

if see sever RSF or FIN to client, we need to found the reason it case closing..

Today I found a case that client send or connect too slow, so server side timeout, then FIN/RST to client...

Then we see broken pipe, it's maybe helpful to others ^ ^

(09 Apr '15, 06:52) robi