This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm having an issue with TCP communication between two computers. Computer1 at address 192.168.254.39 is supposed to initiate a connection to Computer2 192.168.254.37 on port 6010, and send a short message, 400-800 ASCII characters approximately. Computer2 is then supposed to process that message and respond with a short message of its own, approx 150-300 characters. Computer1 should then close the connection.

What's happening here is that Computer1 connects, Computer2 receives the connection and accepts it, Computer1 sends the message, but Computer2 does not seem to receive it (I haven't put WireShark on Computer2 yet so not exactly sure what's coming in there). Looking at the communication, is there anything odd here?

alt text

asked 31 Mar '16, 11:06

Sarah%20B's gravatar image

Sarah B
6112
accept rate: 0%

Could you Provide us thaw capture file at a public accessible place like Dropbox? You can use a tool like tracewrangler to anomyze the trace

(31 Mar '16, 12:11) Christian_R

It's very difficult to troubleshoot from a screen shot. Instead, post a capture file (assuming it doesn't contain confidential information) somewhere publicly accessible, like Cloudshark, or Google Drive, or Dropbox and then edit your question to include a link to the file.

Computer 2 does receive the data, it just doesn't respond with an application-layer message. Computer 1 sends 421 bytes of data in packet 812 and Computer B acknowledges that data in packet 818. Computer 1 sends 736 bytes of data in packet 892 and Computer B acknowledges that data in packet 908.

Computer B receives both data packets, but never sends any data back. Computer A waits about 2.8 seconds and then closes the connection.

permanent link

answered 31 Mar '16, 12:13

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%

Thank you. I'm using WireShark 2.0.2. In which format should I save the capture file?

(31 Mar '16, 12:20) Sarah B

Also, yes, the messages sent by Computer A do have confidential information and I will need to edit it. So saving to a file that will allow simple editing helps.

(31 Mar '16, 12:26) Sarah B

Either .pcap or .pcapng. .pcapng is Wireshark's default format.

You can use TraceWrangler, available from www.tracewrangler.com, to remove the payload.

(31 Mar '16, 12:28) Jim Aragon

While having an actual trace file is better, in this case, we're probably already seeing everything that's relevant. Again, Computer 2 DOES receive the data. However, Computer 2 does not respond with its own application-layer message. All we can see is that it doesn't send anything. Wireshark shows us what's happening on the network, but not why it's happening. You're going to have to investigate Computer 2 to see why it doesn't respond. Network packets are not going to explain why.

(31 Mar '16, 14:34) Jim Aragon
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×205
×55

question asked: 31 Mar '16, 11:06

question was seen: 811 times

last updated: 31 Mar '16, 14:34

p​o​w​e​r​e​d by O​S​Q​A