This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dlink-Router loses Internet-Connection, Check Cisco-modem with Wireshark

0

Hi all,

my d'link dir 652 router (behind a cisco modem) loses internet connection every 15-30 minutes. i checked the router protocol and it says something with WAN-timer. So I ran Wireshark on my laptop tonight, directly connected to my cisco-Modem to see, if the modem loses the connection, or if it's only the router.

Now I got a large protocol of about 45 MB but I am not able to analyze it due to lack of knowledge. How is a interruption of internet connection logged in wireshark protocols? What is it I have to search for?`

I see lots of stuff like "who has [IP] Tell [IP]", "TCP Keep Alive" and other messages I can not understand. Of course, if the connection didn't break, I won't find anything. But I don't even know what to look for... hope someone can help :)

Thanks in advance, Daniel

asked 28 Jan '15, 01:10

MikeTakrelyt's gravatar image

MikeTakrelyt
6113
accept rate: 0%

edited 28 Jan '15, 01:13

One Answer:

0

There will not be any packets/messages in the capture file that actively inform you that the link was down. You will need to deduct that from the traffic that you expect and is not there. The logging on the Cisco-Modem might have messages that tell you when it brought the connection down, so look in the logs on the router. Most routers will also tell you how long the connection has been up on the "Status" page, so have a look there too.

You could perform a ping test (to 8.8.8.8 for instance) from a system behind the router (if you use a windows system, make sure it keeps sending pings by adding the '-t' option). Then in the captured data, you can look for "ICMP echo requests" that do not have a matching "ICMP echo reply", by pressing "<ctrl>+F" (find) and then type the display filter "icmp.type == 8 and not icmp.resp_in". This will look for the next "ICMP echo request" packet for which wireshark has not seen a response.

Of course if the WAN link goes down after an idle timeout, performing the ping will keep the connection open.

answered 28 Jan '15, 04:35

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Hi, thanks for the reply. I don't think it is an idle timeout causing the interruption, as it also happens while gaming via PS3 or surfing on my laptop.

In the router log I can see the problem (old example from Feb 26, but still the same):

Feb 26 09:39:21 info    UDHCPD Inform: add_lease xxx.xxx.x.xxx
Feb 26 09:38:36 info    using nameserver xx.xx.xxx.xxx#53
Feb 26 09:38:36 info    using nameserver xx.xx.xxx.xxx#53
Feb 26 09:38:36 info    reading /etc/resolv.conf
Feb 26 09:38:29 info    wantimer: [Cable Connect, No IP]-'[Cable Connect, Have IP]
Feb 26 09:38:28 debug   open bandwidth_tmp.txt fail
Feb 26 09:38:28 debug   No DHCP ACK with option OPTION_6RD
Feb 26 09:38:27 info    Lease of xxx.xxx.xx.xxx obtained, lease time 3600
Feb 26 09:38:27 debug   Sending select for xxx.xxx.xx.xxx...
Feb 26 09:38:27 debug   DHCPC get gateway = xxx.xxx.xx.x
Feb 26 09:38:27 info    Sending discover...
Feb 26 09:38:27 debug   Performing a DHCPC renew
Feb 26 09:38:27 debug   DHCPC Received SIGUSR1='DHCPC Renew
Feb 26 09:38:27 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:25 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:23 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:21 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:19 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:17 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:15 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:13 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:11 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:09 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:07 info    wantimer: [Cable Connect, No IP]
Feb 26 09:38:05 info    wantimer: [Cable DisConnect, Have IP] -' [Cable Connect, No IP]
Feb 26 09:38:02 debug   Entering released state
Feb 26 09:38:02 info    DHCP Release WAN IP address = 0.0.0.0
Feb 26 09:38:02 debug   Sending release...
Feb 26 09:38:02 info    Unicasting a release of xxx.xxx.xx.xxx to xx.xxx.xx.x
Feb 26 09:38:02 debug   Performing a DHCPC release
Feb 26 09:38:02 debug   DHCPC Received SIGUSR2='DHCPC Release
Feb 26 09:38:02 info    wantimer: [Cable Connect, Have IP] or [Cable Disconnect, Have IP] -' [Cable Disconnect, Have IP]
Feb 26 09:35:44 debug   Sending renew...
Feb 26 09:34:13 info    ath0: STA 20:64:32:3b:e3:2a WPA: received EAPOL-Key 2/2 Group with unexpected replay counter
Feb 26 09:34:13 info    ath0: STA 20:64:32:3b:e3:2a WPA: group key handshake completed (RSN)
Feb 26 09:34:13 debug   ath0: STA 20:64:32:3b:e3:2a WPA: received EAPOL-Key frame (2/2 Group)

So I think I know that the connection gets lost when using the router. That's why I connected the laptop to my Cisco-modem directly to find out with Wireshark, if there are any disconnects, too. So I think I have to do the "ping-thing" that you requested and let wireshark run. Can you explain how to do this regular ping? Can I set this up to ping every 5 seconds or so? And does it have to be an existing external IP like google? 8.8.8.8 was just an not working example, right?

Thanks in advance, Daniel

(28 Jan '15, 05:12) MikeTakrelyt

Your DHCP lease time seems to be 3600 seconds and most DHCP clients will renew their lease at half of the lease time. So that would mean every 30 min. It seems in sync with how often you experience a disconnect.

Usually an IP address is not released until a new lease has been received from the DHCP server. In your log however, it seems that the IP address is released before the new lease is given by the modem. This looks like a bug to me. Did you update your router to the latest firmware already? If not, I would try that first.

Pinging 8.8.8.8 was an example, you can ping any address as long as it is on the outside so it will pass your router and your modem. How to use ping differs depending on the OS. Type "ping /?" on windows for more info or "man ping" on OS/X, linux, *BSD, etc.

(28 Jan '15, 05:31) SYN-bit ♦♦

I have recognized that lease time of 3600 before, too, but I didn't know if I can change that by myself, without destroying any other configuration. I updated the router to the latest firmware some time ago, which is 2.00 Rev. B, there is no newer firmware on the web so far.

Do you think I can just increase the lease time to lets say 28800, which will mean every 480 minutes/8 Hours, so the release/renew will be done by the router every 4 hours, which would be OK for me.

Or does the lease need to be synced to the time that the cisco modem performes a lease? I think I didn't understand all the "router-talks-to-modem"-thing :) Very complicated stuff.

Anyway I willm perform the ping test overnight with Wireshark when I have the time to.

Thanks man you are a really great helf after noone was able to help me with this (ISP, dlink, cisco...noone was able so far, very annoying)...

one more thing: just found that the Cisco has also something set with 3600 seconds on one of it's pages I was able to access, but it doesn't look like it's something that should be changed...mhhh: alt text Also this part of the log might be interesting: alt text

Will try to get newer logs as well...

(29 Jan '15, 00:30) MikeTakrelyt