This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark Dump on GPRS Connection

0

Hi folks,

i'm a newby regarding tcp/ip analysis. Asking you for help seems the only way to get my questions answered. Hope u can help and i'm asking specificly enough =)

I got a GPRS-connected Device communicating with my server. Every 5mins i send a HTTP Status so i know the device is still alive. Every Minute the device sends data to my server.

My ISP called me and told me that my device's TCP/IP Stack isnt working correctly. (according to my isp the device is messing up FIN / ACK messages and doesnt listen to FINs from the server).

After checking the pcap file, i couldnt find something special...

Would someone be so kind and help me here?

The device is running openWRT and i did not modify the tcp/ip stack.

I would like to tell my ISP that the slow connection (pings to google or my server are more than 500ms... i even got a log where i got 18 secs. latency to google and to my server or my isp-server). Is there a possibility that the messages get messed up due the GPRS slow connection?

Hope i wrote understandably.

Link to pcap: https://dl.dropboxusercontent.com/u/15126116/tcpdump_252.pcap

best regards tom

asked 09 Jul '14, 00:45

rindolino's gravatar image

rindolino
16114
accept rate: 0%

One Answer:

1

There are 181 connections to port 8080. 172 are absolutely identical, meaning same amount of frames, same content, same behavior. There are 9 frames that show re-transmissions.

Example: tcp.stream eq 10

You can see, that the SYN frame does not reach the server, so your client continues to send the SYN for 31 seconds. Finally, after 41 seconds the SYN gets through (SYN-ACK comes back) and the connection continues. There is no way to figure out why the SYN does not get through, unless you are able to monitor at different places on the way to the server, which is certainly not the case.

So, to me the capture file looks pretty normal. No signs for 'abnormal' FIN handling (maybe you should ask the ISP to provide an example). There are some connections that take very long due to the SYN no getting through, but I cannot offer an explanation or a solution, as the cause for that problem is totally unclear. It could be your device, it could be the network (including the internet), it could be the target server.

UPDATE:
I tend to say, it's the server, as the delta between the last SYN and the SYN-ACK is 10 seconds. It would be rather unusual if the SYN would 'circulate' 10 seconds somewhere in the network.

Regards
Kurt

answered 09 Jul '14, 01:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 Jul '14, 02:38

Hi Kurt,

thx very much for explaining those pakets to me. helps me a lot =)

best regards, tom

(10 Jul '14, 01:28) rindolino