This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote server not responding

0

Hi

I have a Windows 2008 server running a bespoke app that needs to speak to a vendor server named vendor.domain.com on the Internet on port 443.

Unfortunately, the application is not working - the vendor says that it's because our server can't speak with vendor.domain.com

If I ping vendor.domain.com from the server, then I get "request timed out", although it does resolve to 66.9.37.193 (example).

I'm pretty sure that the vendor server, or something along the way, is dropping the ping because ICMP is not allowed.

I've got a wireshark trace of the ping to 66.9.37.193 from the server - what should I be looking for to provde that the pings are being dropped?

asked 27 Sep '12, 14:19

Harrydolan's gravatar image

Harrydolan
0111
accept rate: 0%


One Answer:

1

If the vendor is dropping (instead of "rejecting") your ICMP Echo Request packets you have no way of proving that he does that, because unlike a reject you'll not see an "ICMP Communication Prohibited" coming back.

If I were you I'd do a simple test... open a web browser on the server, and have it connect to https://vendor.domain.com (or http://vendor.domain.com:443) while Wireshark is running. If you see a TCP Three Way Handshake to the vendor's IP the route working and the port is open.

answered 27 Sep '12, 14:27

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hello Jasper

Thanks for answering!!

I am actually fairly new to Wireshark and trying to learn best how it works :-)

I can indeed reach https://vendor.domain.com - but how do I see the 3 way handshake in Wireshark, what steps do I need to follow or code to enter in the bar to see this converstion only?

(27 Sep '12, 15:00) Harrydolan

Also, how can I see if the vendor is actually Rejecting the ICMP packet, what can I look for in WS?

(27 Sep '12, 15:02) Harrydolan

filter on the IP address of the vendor by entering "ip.addr==66.9.37.193" into the filter bar. Then take a look if you see any packet coming back to your IP. If he's rejecting your packets you might see a "ICMP destination unreachable" packet with the subtype of "communication prohibited" (which you can see if looking at the ICMP layer inside the packet).

The Three Way Handshake would be the TCP Packet sequence "SYN - SYN/ACK - ACK". Take a look at the TCP flags to see if you got any of those packets. "SYN" is your outgoing connection request, "SYN/ACK" would be the vendors "good" answer.

(27 Sep '12, 15:29) Jasper ♦♦