i'm a newby regarding tcp/ip analysis. Asking you for help seems the only way to get my questions answered. Hope u can help and i'm asking specificly enough =)
I got a GPRS-connected Device communicating with my server. Every 5mins i send a HTTP Status so i know the device is still alive. Every Minute the device sends data to my server.
My ISP called me and told me that my device's TCP/IP Stack isnt working correctly. (according to my isp the device is messing up FIN / ACK messages and doesnt listen to FINs from the server).
After checking the pcap file, i couldnt find something special...
Would someone be so kind and help me here?
The device is running openWRT and i did not modify the tcp/ip stack.
I would like to tell my ISP that the slow connection (pings to google or my server are more than 500ms... i even got a log where i got 18 secs. latency to google and to my server or my isp-server). Is there a possibility that the messages get messed up due the GPRS slow connection?
Hope i wrote understandably.
best regards tom
asked 09 Jul '14, 00:45
There are 181 connections to port 8080. 172 are absolutely identical, meaning same amount of frames, same content, same behavior. There are 9 frames that show re-transmissions.
Example: tcp.stream eq 10
You can see, that the SYN frame does not reach the server, so your client continues to send the SYN for 31 seconds. Finally, after 41 seconds the SYN gets through (SYN-ACK comes back) and the connection continues. There is no way to figure out why the SYN does not get through, unless you are able to monitor at different places on the way to the server, which is certainly not the case.
So, to me the capture file looks pretty normal. No signs for 'abnormal' FIN handling (maybe you should ask the ISP to provide an example). There are some connections that take very long due to the SYN no getting through, but I cannot offer an explanation or a solution, as the cause for that problem is totally unclear. It could be your device, it could be the network (including the internet), it could be the target server.
answered 09 Jul '14, 01:50
Kurt Knochner ♦
edited 09 Jul '14, 02:38