This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

help with deciphering log….router crash issue

0

i'm about out of hair to pull out. We are having a issue with our router (internally crashing - which drops our internet - its been replaced 3x's and the last time a totally diff style router. They say its on our end which at this point i agree. sometimes its 10-15x a day sometimes its never. not sure where to even start, figured packets was a good start.. router is 192.168.1.254 i even moved switch ports to see if that was it.

i was able to run a capture when it dropped, but honestly couldn't tell you what all this means in the logs. willing to toss some money if the problem can be found in the log.

here is the log (hopefully i logged correctly lol)

its about 40mb linked removed by me

asked 08 Mar '13, 10:27

slothy's gravatar image

slothy
6225
accept rate: 0%

edited 11 Mar '13, 11:41


2 Answers:

1

its about 40mb linked removed by me

can you please add the link again? Maybe it's a malformed IP packet that leads to the router crash !?!

Another possibility would be some 'instability' in the power supply (not enough voltage). Did you check that?

Regards
Kurt

answered 11 Mar '13, 23:47

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

https://www.dropbox.com/s/squeulsr9hadoc3/test_00007_20130308124320

i moved the router to a new power outlet to check yesterday - the weird thing is comcast says they don't see it drop on their end but it shows up in remote web log in ui..

(13 Mar '13, 07:33) slothy
2

I don't see any "general" problem. Without information about the time stamp where you observed the problem, it's hard to analyze it. Can you please add the time stamp?

HOWEVER: What I found is a problem with DNS queries, beginning at frame 39993 (Display filter: dns.flags.rcode == 2). Your DNS server (192.168.1.4) responds with 'server error'.

So maybe your problem is not related to the internet router but rather to DNS resolving. Is there any Forwarder configured on your DNS server 192.168.1.4? If so, please try to use a different DNS server, e.g. google dns: 8.8.8.8.

(13 Mar '13, 16:34) Kurt Knochner ♦

funny you say that - i fixed that after i logged - was having some dns/slow issues.

i had a issue with ssl certs and had to rerun the sbs config, and i guess it deletes that from dns for some reason. Good eye!

(14 Mar '13, 06:51) slothy

and for time stamp not sure how to do that, and my little peice of paper i had the drop time written down, look like the cleaning people well cleaned it off my desk... :(

(14 Mar '13, 07:06) slothy

so i think i found my needle in the haystack yesterday, walking past the server room, from the corner of my eye i seen the switches flicker a sec. investigated it, they and the router are plugged into a power strip which is plugged into our older ups. when i switched out let, i plugged into the other strip which well is plugged into our old ups also........ logged into router and sure enough its rebooted about the same time. So i moved the strip to our newer ups and haven't had a drop yet - wondering if the power loss for a millisec is enough to reboot the router internally and not the link.

(15 Mar '13, 09:04) slothy
1

as I suggested, an unstable power supply... ;-)

(19 Mar '13, 06:35) Kurt Knochner ♦

the weird thing is, comcast doesn't show a drop on their end is why i figured when i switch power outlets that was the issue. but thanks again 10000x kurt for your help!

(20 Mar '13, 06:33) slothy

but thanks again 10000x kurt for your help!

You're welcome.

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions.

(20 Mar '13, 09:20) Kurt Knochner ♦
showing 5 of 8 show 3 more comments

2

Wireshark is a great tool, but I don't think it's the place to start in this case. I'd start with the router. I'd bring in someone who is expert with your model of router; someone who can look at the router logs, who can read the various performance counters, and who can use the router's built-in debugging features. If this is a high-end commercial router, then it will have a lot of troubleshooting and debugging features. If it's a SOHO class router, well, then it probably won't have much.

As far as the traffic you captured, I don't think we're seeing the whole picture. It looks like you ran Wireshark on 192.168.1.51. Almost all of the traffic through the router is to/from 192.168.1.51. Only 279 of the 41,583 frames are IP packets through the router from an internal host other than 192.168.1.51, and then only the outbound traffic was captured, so we only see half of the conversation.

See the Capture Setup page on the Wireshark wiki for information on capturing on a switched Ethernet network.

answered 08 Mar '13, 19:34

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

ya its a soho (comcast) - ill read up on the capture setup, and even give comcast a call and see if there is a way for them to turn on debugging.

thank you for your help!!

(11 Mar '13, 11:39) slothy