This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

First of all, let me say that I am not network trained at all. So, I am in way over my head.

We have a server that a learner was accessing to take an assessment. The learner says that the assessment hung up and wouldn't do anything. I happened to be running some Wireshark captures at the time. I thought that I was figuring some stuff out, but I've just been blown away.

The capture data is below this description.

The 199 ip is the server and the 173 ip is the client's browser. As you can see, the client makes several requests for images, javascript, etc and the server replies accordingly. Then on line number 49307, the learner has gotten fed up and restarted the test.

I'm wondering if anyone can look at the capture below and tell me (hopefully in layman's terms) what the problem might be.

Thanks, here is the capture:

No. Time Source Destination Protocol Length Info 47608 2012-11-15 11:45:09.145673 173.227.155.230 199.185.13.61 HTTP 484 GET /htm/images/treeimg/folder_closed_bc.gif HTTP/1.1

No. Time Source Destination Protocol Length Info 47609 2012-11-15 11:45:09.145792 199.185.13.61 173.227.155.230 HTTP 300 HTTP/1.1 304 Not Modified

No. Time Source Destination Protocol Length Info 47616 2012-11-15 11:45:09.176746 173.227.155.230 199.185.13.61 HTTP 478 GET /htm/images/treeimg/example_gc.gif HTTP/1.1

No. Time Source Destination Protocol Length Info 47617 2012-11-15 11:45:09.176878 199.185.13.61 173.227.155.230 HTTP 300 HTTP/1.1 304 Not Modified

No. Time Source Destination Protocol Length Info 47618 2012-11-15 11:45:09.190744 173.227.155.230 199.185.13.61 HTTP 484 GET /htm/images/treeimg/example_mastered.gif HTTP/1.1

No. Time Source Destination Protocol Length Info 47622 2012-11-15 11:45:09.190859 199.185.13.61 173.227.155.230 HTTP 300 HTTP/1.1 304 Not Modified

No. Time Source Destination Protocol Length Info 47623 2012-11-15 11:45:09.199225 173.227.155.230 199.185.13.61 HTTP 472 GET /htm/images/treeimg/quiz.gif HTTP/1.1

No. Time Source Destination Protocol Length Info 47624 2012-11-15 11:45:09.199334 199.185.13.61 173.227.155.230 HTTP 300 HTTP/1.1 304 Not Modified

No. Time Source Destination Protocol Length Info 47628 2012-11-15 11:45:09.212121 173.227.155.230 199.185.13.61 TCP 60 22601 > http [RST, ACK] Seq=3341 Ack=1729 Win=0 Len=0

No. Time Source Destination Protocol Length Info 47629 2012-11-15 11:45:09.212313 173.227.155.230 199.185.13.61 TCP 60 62028 > http [RST, ACK] Seq=3375 Ack=1729 Win=0 Len=0

No. Time Source Destination Protocol Length Info 47630 2012-11-15 11:45:09.212537 173.227.155.230 199.185.13.61 TCP 60 22602 > http [RST, ACK] Seq=3288 Ack=3112 Win=0 Len=0

No. Time Source Destination Protocol Length Info 47631 2012-11-15 11:45:09.212761 173.227.155.230 199.185.13.61 TCP 60 44619 > http [RST, ACK] Seq=2428 Ack=11530 Win=0 Len=0

No. Time Source Destination Protocol Length Info 47632 2012-11-15 11:45:09.214457 173.227.155.230 199.185.13.61 TCP 60 22600 > http [FIN, ACK] Seq=1638 Ack=751 Win=64936 Len=0

No. Time Source Destination Protocol Length Info 47633 2012-11-15 11:45:09.214467 199.185.13.61 173.227.155.230 TCP 54 http > 22600 [ACK] Seq=997 Ack=1639 Win=29696 Len=0

No. Time Source Destination Protocol Length Info 47634 2012-11-15 11:45:09.214536 173.227.155.230 199.185.13.61 TCP 60 22583 > http [RST, ACK] Seq=3344 Ack=1735 Win=0 Len=0

No. Time Source Destination Protocol Length Info 47668 2012-11-15 11:45:09.349561 173.227.155.230 199.185.13.61 TCP 60 22600 > http [RST, ACK] Seq=1639 Ack=997 Win=0 Len=0

No. Time Source Destination Protocol Length Info 49283 2012-11-15 11:45:22.980033 173.227.155.230 199.185.13.61 TCP 66 46146 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1428 WS=4 SACK_PERM=1

No. Time Source Destination Protocol Length Info 49284 2012-11-15 11:45:22.980049 199.185.13.61 173.227.155.230 TCP 66 http > 46146 [SYN, ACK] Seq=0 Ack=1 Win=17136 Len=0 MSS=1460 WS=1 SACK_PERM=1

No. Time Source Destination Protocol Length Info 49285 2012-11-15 11:45:22.980161 173.227.155.230 199.185.13.61 TCP 66 44097 > http [SYN] Seq=0 Win=8192 Len=0 MSS=1428 WS=4 SACK_PERM=1

No. Time Source Destination Protocol Length Info 49286 2012-11-15 11:45:22.980190 199.185.13.61 173.227.155.230 TCP 66 http > 44097 [SYN, ACK] Seq=0 Ack=1 Win=17136 Len=0 MSS=1460 WS=1 SACK_PERM=1

No. Time Source Destination Protocol Length Info 49303 2012-11-15 11:45:23.084480 173.227.155.230 199.185.13.61 TCP 60 46146 > http [ACK] Seq=1 Ack=1 Win=65688 Len=0

No. Time Source Destination Protocol Length Info 49304 2012-11-15 11:45:23.084573 199.185.13.61 173.227.155.230 TCP 54 [TCP Window Update] http > 46146 [ACK] Seq=1 Ack=1 Win=29696 Len=0

No. Time Source Destination Protocol Length Info 49305 2012-11-15 11:45:23.084608 173.227.155.230 199.185.13.61 TCP 60 44097 > http [ACK] Seq=1 Ack=1 Win=65688 Len=0

No. Time Source Destination Protocol Length Info 49306 2012-11-15 11:45:23.084734 199.185.13.61 173.227.155.230 TCP 54 [TCP Window Update] http > 44097 [ACK] Seq=1 Ack=1 Win=29696 Len=0

No. Time Source Destination Protocol Length Info 49307 2012-11-15 11:45:23.085857 173.227.155.230 199.185.13.61 HTTP 637 POST / HTTP/1.1 (application/x-www-form-urlencoded) Line-based text data: application/x-www-form-urlencoded REQUEST=658&resumesession=true&groupID=1&submit=Click+here+to+start+your+training.&loginID=42687&contentID=70&sytm=LMS

No. Time Source Destination Protocol Length Info 49308 2012-11-15 11:45:23.101752 199.185.13.61 173.227.155.230 TCP 254 [TCP segment of a reassembled PDU]

No. Time Source Destination Protocol Length Info 49309 2012-11-15 11:45:23.101762 199.185.13.61 173.227.155.230 TCP 1482 [TCP segment of a reassembled PDU]

No. Time Source Destination Protocol Length Info 49310 2012-11-15 11:45:23.101767 199.185.13.61 173.227.155.230 HTTP 591 HTTP/1.1 200 OK (text/html)

asked 15 Nov '12, 13:48

Dana's gravatar image

Dana
11224
accept rate: 0%

can you post the trace on www.cloudshark.org and tell us the link? Way easier than reading a text export...

(15 Nov '12, 14:18) Jasper ♦♦

Hi Jasper,

Sorry for the delay. I had to figure out how to chop the capture down. My captures are 50 meg.

You can see it here: http://www.cloudshark.org/captures/cb747e499e3a

Thanks

(15 Nov '12, 14:37) Dana

Sorry. I forgot to mention that I think that the relevent line numbers are: 47608 - 49310

Thanks again,

Dana

(15 Nov '12, 14:40) Dana

Right click on a packet you want to show - Follow TCP stream, then save only shown packets and upload.

(15 Nov '12, 16:37) xpeh

Hi xpeh,

I did as you suggested. It shows several get requests being responded to and then the browser sends what I guess is a reset. I'm not sure how helpful this capture is. I thought that the communication after the reset would be required, but they weren't included in the follow TCP stream.

You can get to it here: http://www.cloudshark.org/captures/d49fc6b9f133

Thanks,

Dana

(16 Nov '12, 07:38) Dana

The only thing you can see in your capture file is this:

  • in frames #80-#83 and #86-#87, the client closes 6 different TCP connections with a TCP Reset and one connection with a FIN (#85). The reason for that is not indicated. One reason could be, that user closed the application and restarted it. I conclude that from the first SYN (after 13-14 seconds) in frame #88, which could be the time the user needed to restart the application.

So, unfortunately there is no sign at all in the posted capture file regarding any 'hanging' of the server.

Regards
Kurt

permanent link

answered 18 Nov '12, 14:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Nov '12, 14:46

Thanks Kurt. The explanation makes sense and has given me some information that gives me some more insight into how TCP communication takes place. Obviously, I have much to learn.

Dana

(18 Nov '12, 18:44) Dana
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×52
×14

question asked: 15 Nov '12, 13:48

question was seen: 2,884 times

last updated: 18 Nov '12, 18:44

p​o​w​e​r​e​d by O​S​Q​A