This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

HI, I am facing a very strange issue. After a successful TCP Handshake, client sends an HTTP Request. Server received it, and responded with a HTTP 100 Continue and right after with a HTPP 200 OK.

But on the client, the Continue doesn't arrive. Instead, only a TCP packet arrives acknowledging the fist HTTP request with the right SEQ,ACK. (The normal flow would be receiving the HTTP 100 with the right SEQ,ACK).

Client then waits for 1sec and sends a FYN, which is correctly negotiated with the server.

This cycle continues for 5 or so rounds, until finally the Continue arrives and the client gets the right info from the server.

I suspect something on the network (WAAS or FW) are tampering with the packets.

How can i troubleshoot?

asked 07 Oct '12, 10:58

ctxsvc's gravatar image

ctxsvc
31224
accept rate: 33%


It was the Cisco WAAS, we disabled it and HTTP didnt fail.

we dont know what was the WAAS doing though.

permanent link

answered 12 Oct '12, 15:23

ctxsvc's gravatar image

ctxsvc
31224
accept rate: 33%

Ideally you would have to capture from the server and client side and compare traces

permanent link

answered 07 Oct '12, 11:54

thetechfirm's gravatar image

thetechfirm
64116
accept rate: 0%

HI thetechfirm,

thanks for the reply.

That is what i did, i compared the traces on the laptop and on the server. That is how i know HTTP responses are leaving the server but not reaching the client laptop.

My problem, i think, is that there are so many devices in the middle that i loose visibility.

I know that packets arrive to the server with a Public IP, and that could be a Cisco FW or ASA doing NATs and who knows what else.

brgrds

(07 Oct '12, 12:08) ctxsvc

You'll need to move your capture point along the path until you find the device that's dropping or modifying packets. Continue to capture at the server, but move your downstream capture point from the laptop towards the server one device at a time. As soon as you see that all the HTTP 100 Continue packets that leave the server are captured at the other capture point, you know that you've just moved upstream of the device that's dropping the packets.

When you think you've found the responsible device, confirm by capturing on each side of that device.

permanent link

answered 07 Oct '12, 12:30

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

HI Jim,

totally agree. I will start placing laptops closer to the server.

From your experience, what is a good way to set this up in an enterprise cisco environent? Putting a PC running wireshark connected to the destination port of a SPAN session configured on a switch or its variants ( RSPAN and ERSPAN)?

Any other good tool? I heard Riverbed has a TurboPCAP network card on some software too.

brgrds

(07 Oct '12, 13:42) ctxsvc

I agree with Jim.

(07 Oct '12, 13:49) thetechfirm
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×293
×4
×1

question asked: 07 Oct '12, 10:58

question was seen: 3,895 times

last updated: 12 Oct '12, 15:23

p​o​w​e​r​e​d by O​S​Q​A