This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Analyzing Traffic to troubleshoot an issue

0

I am helping out a school NetAdmin with an unusual problem they are having I believe may be network related. It appears that 7-8 desktops have issues opening up files on a share located on the school's server during the mornings. The issue only affects these desktops - no one else on the subnet experiences those issues at that time, and the issue clears up later in the day.

When someone tries to open up a file, it appears that Windows just hangs for an inordinate amount of time. Sometimes, the file will eventually open, but other times the desktop needs to be rebooted to unfreeze it. The switch to which these desktops connect as well as the fiber media convertor that connects the switch to the main switch that the server and the other desktops on the subnet connect to have both been replaced as part of the troubleshooting.

I am hoping we can garner some clues as to what is going on by using Wireshark on one of the problem desktops and the server, but I am unfamiliar with interpreting the output. Would it be possible to upload our two capture files here for someone more savvy to take a look at and point us in the right direction?

asked 19 May '11, 13:05

JBergJr's gravatar image

JBergJr
1112
accept rate: 0%


2 Answers:

2

There is no way to upload a file to this site directly, at least not that I'm aware of, but the answers to these other questions might help provide you with some alternative methods you could use:

If you find a way to post your file somewhere, then it's possible someone might take a look at it and give you some feedback about it.

answered 19 May '11, 19:06

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Not exactly the same context. I do need help in interpreting traces. A trojan (I think) in my machine is sending my IP somewhere. I reset and eventually I get an email (I know is spoof/phish) and don't know how to interpret. The outgoing message may have my IP encrypted, etc. and I don't even know where to begin.

I have read [b]cmaynard[/b]'s message and I do have a place to put the traces, just still have a question regarding the extension ".pcap" because it is not there [this is after reading that Wireshark keeps up to my close to 8GB memory and then crashes, I have reported this and found a workaround to limit files to +/- 100MB. I do suspect I captured the culprit because after changing my IP address, the following emails do have the new one.

(03 Aug '11, 17:36) LaoziSailor

0

Thanks for the information. I will take a look at those files and test the program some more. Naturally, the problem has gone away for a few days, but it has done this in the past, so we are waiting until the next flare up.

answered 24 May '11, 06:21

JBergJr's gravatar image

JBergJr
1112
accept rate: 0%

Just make sure there is no confidential information included. If the files you are transfering contains sensitive data you should be aware that it can be reconstructed from the capture without much trouble (if not encrypted). In that case you should use test files that are noncritical.

(24 May '11, 06:34) Jasper ♦♦