This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Port numbers reused blast?

0

Hey there,

I am rather new to Wireshark and we are currently experiencing a problem where one of our HP Pro Curve 48 port switches is showing all solid lights. We have a rather large network over a small city and I'm having to find myself power cycle a firewall in order to have full connectivity for only 3-4 hours until the problem persists. The funny part is when we go to run a capture while the switch is solid lights, I get a huge blast of [TCP Port numbers reused] packet errors to a point where Wireshark barely has time to keep up. I had the capture running for about 3-4 seconds and got 800,000 packets of this nature. Can anyone help me out to lead me in the right direction to fixing this?

asked 18 Oct '13, 05:04

Ineedamedic's gravatar image

Ineedamedic
1113
accept rate: 0%

edited 18 Oct '13, 05:06

2 Answers:

1

I don't think that the reused TCP ports are your problem, it's probably a result of a much bigger issue. The scenario you describe sounds more like a layer 2 loop, where packets get duplicated while circling the net. Can you post a reasonable big sample capture on Cloudshark (if not containing sensitive data)? If you can't post a capture maybe you can do a screen shot of a section that contains these reused port numbers?

answered 18 Oct '13, 06:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Unfortunately I can't post much. I'm seeing a certain subnet of our network hitting one particular IP address as the destination and this does not change. The interesting thing is that the IP Address is "as we know" turned off so it shouldn't be broadcasting anything at all. Essentially I have connectivity for all my users, they are just sending back high ping times... So I'm not totally disconnected from my network. I don't know if that helps or not.

(18 Oct '13, 08:39) Ineedamedic

1

I'm having to find myself power cycle a firewall in order to have full connectivity for only 3-4 hours until the problem persists.

Sounds like a routing loop to me.

I'm seeing a certain subnet of our network hitting one particular IP address as the destination and this does not change. The interesting thing is that the IP Address is "as we know" turned off.

O.K. if it is a routing loop, it could be like this:

Firewall: host or subnet route for that 'dead' IP address (or subnet) to internal router R1
R1: host or subnet route for that IP address (or subnet) to the firewall

The whole packet looping will start as soon as the first system tries to access the 'dead' IP address.

I'm seeing a certain subnet of our network hitting one particular IP address as the destination and this does not change

Please check if the IP TTL of those packets gets decreased constantly. If so, there is a route loop and then you need to check the routes on all involved systems. Start with the Firewall and work yourself further into the network.

Regards
Kurt

answered 18 Oct '13, 09:57

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%