This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need help in trying to figure out where packets are getting dropped

0

We have several remote sites connecting to a central location. Each remote site has its own file and print server hosted at the central location as virtual machines. Recently, we've been having problems pulling data from one of these servers (e.g., getting directory listing containing large amounts of files and folders), but only from machines at the central site. Users at the remote site who have been assigned this particular server have not reported any problems. All other servers have been behaving fine, and I can't see how this one server is different from the others.

Captures near the server show normal behavior until it comes time to actually send the directory contents, then there are repeated attempts to transmit the data, followed by a [RST,ACK]. Captures near the machine browsing the directory show just the [RST, ACK]. I've done captures in various points in the intervening network and I think I've found the spot where it's not sending data any further, even though all other connectivity to this machine is fine (I'm using my workstation for testing).

The last spot the retransmitted packets get to, the source and destination ips seem correct, and layer 2 info shows the source as being the switch at the remote site the packet came from, and the destination seems to be the MAC address associated with the vlan that the browsing machine is a part of. Packets seem to be dropped somewhere around this point. Captures at the interface where the packets should leave to head to the browsing machine show everything but the retransmitted packets. Again, the machine doing the browsing has normal connectivity for all other things.

How can I find out why the packets are getting dropped?

asked 31 Jan '13, 09:15

pfisterfarm's gravatar image

pfisterfarm
11112
accept rate: 0%


One Answer:

0

Users at the remote site who have been assigned this particular server have not reported any problems.

how do they access the server? Directly via CIFS/SMB or via a VMware View instance connected from the remote location? In general: Is the method used to access the server the same in the central location and the remote location?

Packets seem to be dropped somewhere around this point.

Did you check if there are jumbo frames involved (check the size of the packets, captured "near" the faulty server)? Maybe one of your switches is dropping jumbo frames and thus causing trouble.

Regards
Kurt

answered 01 Feb '13, 09:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 01 Feb '13, 09:58

Yes, it's directly with CIFS/SMB in both places.

The packet size when captured near the server end is 1514.

(04 Feb '13, 11:14) pfisterfarm