This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Retransmissions - Simple Telnet to Webserver - Timeout

0

Hi everyone

I just ran into an issues in my network, where I wanted to connect from a machine in subnet "C" to a machien in subnet "A" on port 80. On the way, the packet passes two firewalls, which are configured to pass the traffic, I see the traffic in the logs as "passed".

As I still can't get a connection, I ran tcpdump on the client and the server like "tcpdump -s 65535 port 80".

I uploaded the files to:
Client PCAP
Server PCAP

Something seems to be pretty wrong, but I can't deduce much from that pcap...

asked 30 Nov '15, 02:51

esc4rg0t's gravatar image

esc4rg0t
26227
accept rate: 0%

edited 30 Nov '15, 06:03

Server link is corrupted

(30 Nov '15, 04:29) Christian_R

What led you to that conclusion? :-)

(30 Nov '15, 05:36) esc4rg0t

The posted Link to the "server pcap" file does not work.

(30 Nov '15, 06:00) Christian_R

fixed, my bad...

(30 Nov '15, 06:03) esc4rg0t

One Answer:

1

The server ignores the incoming requests. As you haven't stated whether the problem only exists for that one client or for more clients, the possibilities are:

  • the web daemon is down

  • some firewall is running directly on the server which does not allow requests from that client in

  • if the server has more network cards, there may be a routing issue so it may be sending responses to the client's requests through another card than the one on which you capture, and they may not reach the client because some of the firewalls en route cannot match them with the requests.

answered 30 Nov '15, 06:11

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Well, you're right, it was indeed a routing issue because one of the machines is multi-homed. I overlooked that an entry was missing...:-/

(30 Nov '15, 06:20) esc4rg0t

@esc4rg0t

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(30 Nov '15, 07:05) grahamb ♦