This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Time Machine to Network drive doesn’t finish

0

Hi Guys,

We are trying to backup a macbook air to a Synology diskstation over wireless using Time Machine. We are able to backup on a wired connection but on wireless the Mac says "Preparing backup" and never starts the backup. I took a capture from our router and saw that there are a lot of "TCP Retransmission" and "TCP Out of Order" packets. From what it looks like packets are first being transmitted to the router and the router is retransmitting them to the Synology. I am wondering if this is normal since the Macbook is connected through a wireless access point to a switch then to the router or if there is a problem in the routing.

Capture file can be found here.

Thank you in advance!!!!

asked 08 Nov '13, 10:56

clarsen's gravatar image

clarsen
11114
accept rate: 0%


2 Answers:

2

That one's indeed tricky. An yes, the router (where the trace was taken) initially seems to be in the path even though we are within the same sub-net and so the ARP table in the MacBook should contain the the NAS's MAC address. Instead the packets are sent to the SonicWall router's MAC address, who forwards them to the Synology NAS. Why this happens - still - is a mystery to me as I'm not an WLAN expert. Here some more observations which might provide some hints as to why this is happening:

  • The Sonicwall router adjusts the MSS option of the syn packets from 1460 to 1452
  • The router does not decrement the ip.ttl
  • The dest-MAC of the NAS changes 360s into the trace (Synology:20:59:f7 -> Synology:20:59:f9)
  • Before (298s-360s into the trace)there were 3823153 not traced in the router (in both directions)

As for the problem you are investigating, I'd say the NAS server is closing the session unexpectedly with a 'server shutting down' indication.

alt text

There was a discussion about wireless Time Machine backup not supported in a Synology forum which might lead you to the right experts.

answered 10 Nov '13, 05:46

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

Thank you for your insight, it has been extremely helpful. How did you configure wireshark to show DSI_Type, DSI req/rply and the associated flags? I'm still figuring out how to get the most out of wireshark. Thanks!!

(11 Nov '13, 08:24) clarsen
1

The easiest way to add any field to the packet list is to go to the packet details, right-click on the desired field and 'Apply as Column'. As an owner of a question, don't forget to 'accept' an answer when you're satisfied.

(11 Nov '13, 21:39) mrEEde

1

As @mrEEde mentioned, the frames are first forwarded to the router (SonicWall) and then probably forwarded by the SonicWall to the Synology.

I am wondering if this is normal since the Macbook is connected through a wireless access point to a switch then to the router or if there is a problem in the routing.

The only plausible explanation I can think of (besides a bug somewhere): The Mac gets a wrong netmask while connected via the AP, i.e. /25 instead of /24. In that case 10.250.212.145 is not in the same subnet from the Macs perspective (10.250.212.0/25 == 10.250.212.1 - 10.250.212.127) and thus it forwards the traffic to its default gateway (SonicWall - maybe 10.250.212.1). As the SonicWall has a subnet mask of (probably) /24 it knows it can forward the frames directly to the Synology device (10.250.212.145).

Possible solution: Please check if the netmask of the Mac is set to a different value than it should be on your network (i.e. /25 versus /24).

BTW: This does not explain why the MAC address of the Synology changes from 00:11:32:20:59:f7 to 00:11:32:20:59:f9 in frame 1186!?! Maybe there is a second Synology with the same IP address and you did not capture the ARP update, or maybe the same Synology has two interfaces connected to the LAN (for redundancy).

Regards
Kurt

answered 10 Nov '13, 15:28

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Nov '13, 15:34

Thanks so much Kurt, the subnet mask is /20 which is what our internal subnet mask is so that's good but I still think there is an issue from the AP to the router. You are correct about the Synology having multiple interfaces connected to the LAN, the first MAC listed is two bonded LAN interfaces and the second is not bonded. There are 4 total LAN interfaces.

(11 Nov '13, 08:30) clarsen

but I still think there is an issue from the AP to the router.

Maybe. Can you please add some information about the AP (brand, model) and who you attached it to the network. Is the 'AP' working as a AP or as a wireless router (based on the MAC addresses in the capture file, I guess it's a pure AP, but you never know until you check ;-))

(12 Nov '13, 04:18) Kurt Knochner ♦