I keep getting random drops on network. If I am pinging the Gateway, I'll get a request time out. Network has been very slow and I'm not sure why I have so many connection resets. Any help would be great. Dump https://drive.google.com/file/d/0B43jcZHbJGXQckVBQmNJMlRVVVU/view?usp=sharing asked 28 Sep '15, 11:11  VodoBaas1 showing 5 of 11 show 6 more comments |
One Answer:
45% of ALL packets in that capture file are ARP frames. "Something" is wrong with your environment ;-)) Please apply the following filter to see who is the "mass ARP spammer" on your network.
Surprise, surprise: it's 192.168.1.174. That system also creates an insane number of DNS requests, PTR lookups for all addresses it was "scanning" before. So either you're running a legitimate network scanner on that system, or something is failing badly, including a possible malware infection. With that traffic pattern it's no surprise that there are ping drops for that machine! HINT, based on the rest of the traffic, I conclude that this system is somehow part of Trend Micro Officescan, which does not mean it cannot be infected with malware ;-)) BTW, you don't have to re-run the ping test. Instead you should figure out what's wrong with that system. Regards answered 28 Sep '15, 19:02  Kurt Knochner ♦ Thanks for the info kurt. I did run a network scanner but I will go back and review the times to make sure. Thank you for the direction I should head. I will give an update tomorrow when I can do some investigating. (28 Sep '15, 19:09) VodoBaas1 I got rid of an akamai product that might be the issue, but I'm not sure how to check how much of the sample are arp's. I attached the dump to see if it's better. Thanks! https://drive.google.com/file/d/0B43jcZHbJGXQUGx5N3N4amdLR2M/view?usp=sharing P.S. I gave the computer .174 a static IP of .150 (29 Sep '15, 08:12) VodoBaas1 OK, so I think I found the issue with that machine. That terminal had solarwinds installed around when this issue started. It has been removed, the system is more stable, but I think I have some lingering issues. If you could please look at the newest dump, it would be greatly appreciated. https://drive.google.com/file/d/0B43jcZHbJGXQTzhtVWM0UGoxVTg/view?usp=sharing (30 Sep '15, 09:02) VodoBaas1 I am not sure what the exact question is, that should be answered be looking into the trace. Are you still have Ping issues? Or do you just want to have verified that no uncommon ARPs are in the trace? (30 Sep '15, 12:14) Christian_R Sorry, I will try to be more clear. I am still having ping issues. I did a recovery on to a time before Solarwinds was installed on that computer(.150). I am currently running a capture that will be post recovery. It seems better, but I still have times where I get request timed out. I will post new dump soon. (30 Sep '15, 12:30) VodoBaas1 New Dump https://drive.google.com/file/d/0B43jcZHbJGXQRGoyeGtMWjR0QkU/view?usp=sharing Thanks again for all the help. (30 Sep '15, 13:58) VodoBaas1 No, I can´t see the address 192.168.1.150 or the address 192.168.1.174. And so I can´t see any ICMP traffic of this devices. List of IPs inside the trace: (30 Sep '15, 14:04) Christian_R Sorry when I restored it, it made it dhcp again. The IP for that comp is .141 (01 Oct '15, 08:48) VodoBaas1 No, I can't see any icmp traffic for this ip. Please, Check by yourself with the display filter "icmp" if you can see any icmp packets for your address. If you see some you can post the trace. If you see no packets we have to find out why. (01 Oct '15, 09:37) Christian_R I don't see any ICMP for that IP. Would it help if I run wireshark directly from the .141 comp and post that dump? (01 Oct '15, 10:14) VodoBaas1 @VodoBaas1: I'm getting lost. What is the problem you are trying to analyze? (01 Oct '15, 10:17) Kurt Knochner ♦ Yes that would help. (01 Oct '15, 10:18) Christian_R I have had very slow network activity. It has gotten better the last couple days but if I ping the DG (192.168.1.1) I still get times with "request time out". I am just trying to find out why the DG becomes unresponsive for an amount of time. Sometimes for a few seconds and sometimes a little longer. (01 Oct '15, 11:13) VodoBaas1 Could you post an ipconfig/all output of the machine which had the issue. (01 Oct '15, 12:06) Christian_R (01 Oct ‘15, 12:46) Christian_R So my question again, have you seen the IP Address 192.168.1.141 in the newest tracefile? (01 Oct ‘15, 12:51) Christian_R Yes when I ran this dump I see it. https://drive.google.com/file/d/0B43jcZHbJGXQTzhtVWM0UGoxVTg/view?usp=sharing (01 Oct ‘15, 13:15) VodoBaas1 O.K. if you use the following filter, you’ll see that there are some ping responses missing, but there is not sign for a problem during that time (like increased traffic volume or similar)
Hard to troubleshoot that way! BTW: How and where did you capture that data? Maybe switch mirror port? (01 Oct ‘15, 13:25) Kurt Knochner ♦ This capture was done from the comp that was having the issue before the re-image. I had been running the capture from our server. I haven’t seen a lot of ARP like I was. Just trying to figure out why I still see the time out response from either the .141 IP or from the Server. (01 Oct ‘15, 13:36) VodoBaas1 There is no explanation in the capture file, why there is no ping response in several cases. (01 Oct ‘15, 13:41) Kurt Knochner ♦ Well, I guess I’m at a loss. I will continue to monitor and see how it goes. I really appreciate all the help! (01 Oct ‘15, 13:53) VodoBaas1 I was looking at ICMP from 192.168.1.11 to 192.168.1.1 and was wondering if that is the same case and there is no explanation. (02 Oct ‘15, 06:46) VodoBaas1 As I said, ‘icmp.resp_not_found’ will show the missing ping responses in that capture file and they are mostly from .11 -> .1. As I also said: there is no explanation in the capture file why the repsonses are missing. Possible reasons:
(02 Oct ‘15, 08:13) Kurt Knochner ♦ OK, thanks. I found that one computer had malware and was sending a lot of network traffic and took it off the network and cleaned it. I still haven’t added it back but still have some page not found issues, so I am thinking there might be another computer causing the issue. A lot of my request time outs directly from my DG show from trend micro. So I’ll look into that. Thanks again for the help. (02 Oct ‘15, 10:10) VodoBaas1 showing 5 of 24 show 19 more comments |
I can´t see any Ping failures. In fact the pings I saw had been had a turnaround of around 1 ms and less. Have you tried the command ping command without dns resolving?
ping -n IP_ADDRI have run ping -t IP_ADDR and it will have some request time outs. This IP is my DG (Router). At times throughout the day I was getting about 14% loss, later today it was about 1%. I think it's the router becoming unresponsive, but I have no clue why it's happening.
So what is the IP you try to ping? And what IP has the host who send the ping request.
192.168.1.1 is the DG and 192.168.1.174 is the IP that was sending the ping request.
I can´t see this ICMP flow in your trace, neither the request nor the response.
Thanks for all your help so far. I don't remember if this dump was run at the same time. Apparently not. I will post the other dump soon.
at the moment it is more or less the same trace. I still can´t see the ICMP flow in the trace and it is only 1MB large.
My bad that was the same old Dump. https://drive.google.com/open?id=0B43jcZHbJGXQRlBCZDVGdnZBbk0 Should say Dump2
I still can´t see the ICMP flow between 192.168.1.1 is the DG and 192.168.1.174. But I can see a huge amount of ARP Broadcast up to 100 and more Paket/s this could be a problem.
Not possible to access Dump2!
I will re-run a ping tomorrow and post it. I thought there was a lot of arp but wasn't sure since I only have limited experience. What could be the reason for that? Virus? Also, the link should be fixed for dump2.