This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hope someone can help, I'm a pretty new to wireshark and trying to get this figured out.

A little backstory on the install,

PC IP 10.23.1.122 Serial/IP Converters port:4660

I already have a serial to IP converter up and running on this job under the IP 10.23.1.120 and everything works great. Tried to add a second converter under 10.23.1.121 and it doesn't work but I can ping it and it responds. I've tried other IP's .118,.119,etc and nothing.

I thought maybe it was a bad converter, swapped converters and no change, same problem.

Weird thing is if I disable the working IP converter, .120 and program the new converter to use .120 it works fine.

The network is being run by a Cisco ASA5505 so I contacted their IT support and he spent most of the day going through the firewall rules trying to find something that would block the ports internally and found nothing.

As a last ditch effort I bypassed their Cisco ASA5505 and went straight to AT&T's router, everything works like it should. So that puts the ball in their court but I really need to get this done.

The only thing I see in wireshark is a lot of TCP RETRANSMISSION when trying to open converter .121 but thats where my knowledge ends.

Here is a link to the wireshark data,

http://www.cloudshark.org/captures/e49e84afc407

Thanks for the help in advance.

asked 23 May '13, 21:30

odorcide's gravatar image

odorcide
11114
accept rate: 0%


You have a duplicate IP address in your network. In frames 265,266,267,268 and 271 a session is being set up with 10.23.1.121 on mac-address AtopTech_09:ef:91 (00:60:e9:09:ef:91). Then the next packet that your client sends to the serial-to-IP converter is being sent to mac-address Cisco_bc:3c:f2 (e0:2f:6d:bc:3c:f2). The AtopTech after that keeps retransmitting it's initial data as it never sees the ACK. And your client keeps sending data to the Cisco device.

Please check the Cisco device with mac-address e0:2f:6d:bc:3c:f2 for the duplicate address 10.23.1.121.

permanent link

answered 24 May '13, 00:23

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks SYN, the MAC address 00:60:e9:09:ef:91 IP 10.23.1.121 is the one I'm having a problem with. I looked up the MAC address and came across the manufacturer,

http://www.atop.com.tw/atop/product/product_detail/data/atop_iapl/en/serial_device_servers_entry_level/se5001-s5/

That is the serial/IP converter that I'm using.

The other MAC address 00:60:e9:09:f0:e5 IP 10.23.1.120 is the converter that is in use and working.

So your saying the computer is sending the information to the Cisco device instead of the serial/IP converter?

(24 May '13, 08:25) odorcide

(I converted your "answer" to a "comment" as that's how this site works best, please see the FAQ for details)

Yes, the computer is switching it's communication to the cisco halfway the session. The strange thing is, it happens exactly at the same time in both sessions to 10.23.1.121. And I do not see interfering ARP traffic.

What is your network setup? Looking at the trace, your client 10.23.1.122 is directly connected to the Serial2ip converter. Do you use some kind of software to reach the Serial2ip converter? Is your client multihomed (wireless and wired interface enabled or two ethernet adapters)?

(24 May '13, 09:35) SYN-bit ♦♦

It has a single Ethernet connection, no wireless. The network config is uverse router -> ASA -> switch. The client is connected to the switch along with the adapters. The software that came with the converters is from http://www.tacticalsoftware.com/products/index.htm

While setting up the tactical software everything functions normally, it's only when I go to use the comm port in another piece of software, http://www.linearcorp.com/downloads.php Accessbase 2000 it never opens up the port completely, it looks like the software is able to open up the comm port but never communicates with the panel. Thank you for the help.

(24 May '13, 12:35) odorcide

SYN-bit,

Thanks for your help. odorcide and I are working on the same network/issue. FWIW:

The ASA is a 5505, and I've tried numerous access rules to allow packets between the problem IP and the destination. I can run a packet trace and the ASA seems to be allowing everything.

My experience working with Cisco equipment is also pretty limited (~6 months on the job training; still need to get my boss to sign a training class PO:) Thanks again for your help!

(24 May '13, 15:06) krevbot

If both adapters are connected to the switch and the client is connected to the switch. I assume they are all in the same vlan and IP subnet? Then the ASA should not be involved in the traffic stream.

Was the linked capture file made in this setup? Or was it made in a different setup?

What happens when you connect the adapter to the client with a cross cable, do you still see problems when it is configured with 10.23.1.121 and the client on 10.23.1.122? If not, you can rule out the switch and ASA and concentrate on the driver software and maybe the host-based Firewall on the client.

(24 May '13, 17:27) SYN-bit ♦♦

The capture was made while both adapters and the client connected to the switch, I have not tried to test the adapter with a cross-over cable but I can.

Not sure what this will accomplish because both adapter work correctly when I connect both the adapters and the client to the AT&T router.

Thanks for bearing with me and my lack of knowledge in this area.

(25 May '13, 09:45) odorcide
showing 5 of 6 show 1 more comments

The strange thing is, it happens exactly at the same time in both sessions to 10.23.1.121. And I do not see interfering ARP traffic.

In Frame #306: Why is the client sending an ARP request to the MAC address of the Cisco instead of the broadcast address while it sent the same request to the broadcast address in all packets before!?!

It is using the MAC address of the Cisco 'all of a sudden' in the capture file, maybe due to a bug in the network stack caused by some network configuration (duplicate routes, etc.).

@odorcide: Can you please post the output of the following commands on your client (10.23.1.122)?

ipconfig /all
route print
arp -a

BTW: What is your OS version on that client?

Regards
Kurt

permanent link

answered 27 May '13, 23:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 28 May '13, 00:05

The OS of the client is windows 7 SP1, here is the output of those commands. http://pastebinDOTcom/Lf41HbdK Please replace the "DOT" in the URL.

(29 May '13, 07:27) odorcide

nothing unusual in the output.

Either it's a bug in the IP stack (never seen anything like this), or you did not capture the whole traffic (missing ARP 'updates' or ICMP redirects).

So, how and where did you capture the traffic?

(29 May '13, 08:05) Kurt Knochner ♦

I captured the data on the client PC, I selected the ethernet card, en0, started to capture in wireshark. Opened up the program that uses the comm ports, opened one comm port for the .120 serial/ip adapter and verified it worked then closed port. Next I opened the comm port for .121 and let the software time out trying to reach the panels then stopped the capture.

I didn't apply any filters on the capture, it is the raw data I assume. I

Should I try to capture the data another way?

You guys are a real help and I really appreciate everyone helping.

(29 May '13, 13:37) odorcide

The OS of the client is windows 7 SP1, I captured the data on the client PC, I selected the ethernet card, en0,

en0 on a Windows system? Something does not match here....

(30 May '13, 12:00) Kurt Knochner ♦

I could be mistaken, it was the only interface listed.

(30 May '13, 13:26) odorcide

let me clarify it:

The system where you started Wireshark (as well as your test software) is running Windows 7 SP1 and you see an interface en0 in Wireshark? That would be strange, as en0 is usually an interface on a Unix like system (Linux, *BSD).

Can you please post the output of the following command:

ipconfig /all

If your setup is somehow different, please add a detailed description here.

(31 May '13, 02:42) Kurt Knochner ♦

I posted the ipconfig here http://pastebinDOTcom/Lf41HbdK

(31 May '13, 19:25) odorcide
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×752
×104

question asked: 23 May '13, 21:30

question was seen: 3,450 times

last updated: 31 May '13, 19:25

p​o​w​e​r​e​d by O​S​Q​A