Hi net-specialists, my problem looks somewhat queer to me: We have an interface device from our canbus-devices to modbus. We also implemented a modbus over tcp/ip stack in it, and it works since years with several computers with our software as well as with modscan32. Now i stumble over the following: Every about 50 to 60 seconds the connection is interrupted. With modscan i see, that there firstly is a message timeout, so it looks like my device doesn´t answer any more. Next is a message, that the tcp/ip-connection was terminated. Ok, i am looking into my code if there is any timeout that might hit erroneously, but there is none. Furthermor, when i make the same test on another computer (WIN7 PRO 64), everything runs fine! When i run the test in a virtual machine (XP PRO 32) on the same computer it runs fine. So there is something on MY computer, that disconnects the modbus-connection, and i have no idea how to find it. My system is: WIN7 ultimate 32bit Modscan is the most actual version, but any older version has the same problem - on my computer. Has anyone an idea, how to find out this ? Have a nice day, Wolfgang asked 06 Aug '14, 08:54  modshark |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Can you provide a capture of the good and bad connections? Up to TCP layer should be enough, so if you have the need to sanitize the capture first use TraceWrangler: http://www.tracewrangler.com
Not yet, i have to ask my boss before using wireshark, and he is on holiday at the moment.
The real strange thing is: - I have my WIN7-PC, and i have a VM with XP on it. - I open a connection mith modscan on my XP-VM, and it works stable - I open a second connection with modscan on my WIN7-PC, and it gets disconnected after about 50 to 60 seconds. - The first connection on my XP-VM stays connected and continues working fine.
All this leads me to the conclusion, that there is something wrong with my WIN7-PC.
Furthermore:
a. For testing purpose we have an interface device standing in the home office of my boss. We can access this one over the internet and a port forwarding in his router. When i open a connection to this interface device the connection is stable.
b. In the interface device firmware i implemented a kind of "ethernet debug mode", that means, every action (open socket, close socket, receive data, send data etc.) is monitored to a RS232 connection. Here i can see, that my device "tells me", that the connection was closed by the remote station, which would be the WIN7 PC with modscan running. The procedure is as follows:
For about 50 secondes everything runs fine. Then modscan tells me, that there is a message timeout. When i watch the traffic on modscan (there is a traffic viewer in modscan, which of course is not comparable to wireshark), i see, that the query is transmitted but no response follows. At the same time my monitor function in the interface device tells me, that the connection was closed by the remote station. After about 7 to 10 additional queries modscan pops up a window telling, that the connection was disconnected.
So my question is:
Is there a possibility to "cut" a connection by anything else but the two stations using the socket? Who or what is able to disconnect a connection "from outside"?
Firewall? Antivirus software? I do not find any hint in the windows event logs...
regards, Wolfgang
anything from the outside would be malicious, and can probably be ruled out. Personal firewalls and antivirus software can interfere with network stacks, so it would be a good test to check the communication behavior without those. Sometimes even the same firewall/antivirus software works for a specific version of an OS, and creates trouble for another (e.g. 32 bit vs. 64 bit Win7).
But really, if you want to know what happens on the network you need packet captures, and those should not be taken on any of the affected systems but with a third device via TAP/SPAN port. Otherwise the packets are often not exact enough.
Best would be to have 3 capture points: 1 at a PC that works, one at the PC that doesn't, and one at the remote device. That way it is easy to see who gets what from whom.
Yeah, may be it would be the best... sorry, what means TAP/SPAN port? I'm not so good in those network entrails...
The antivirus software is Microsoft Security Essentials, i already made the test with real time protection disabled, but without any influence on my problem. Next i will try to turn off the firewall (standard WIN7 firewall) ...
Turning off the firewall has no influence, the connection still gets disconnected...
So we will have to wait until i can ask my boss for using wireshark.
Thanks a lot and so long,
Wolfgang
Well, it is really crazy and very unsatisfactory, but the problem has vanished! Yesterday I checked again, and since then the communication is stable. So i will probably never find out what was the problem. No windows update was done. Nothing was changed on my side. afaik...
best thanks and regards, Wolfgang