This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is Wireshark what I need?

0

Hi all,

I have been referred to Wireshark following an issue where the firewall on the server that hosts three websites that I administer blocked my IP address "due to too many open connections with the no-expire". I really have no idea what that means beyond the literal obvious. When I Googled for more info, the results didn't make much sense to me. I have no experience with networking and such.

I shut my computer off when I'm not using it and only access my websites via a browser and occasionally an FTP program when I'm actually working on them, over my secured home WiFi network.

Will Wireshark allow me to figure out where/how any no-expire open connections originate so I can do something about them? The block was quite inconvenient and disruptive to my workflow so I have a vested interest in making sure I don't get blocked again...but I feel like I am in over my head on this.

Thanks!

asked 30 Jul '16, 08:26

Sakaane's gravatar image

Sakaane
6112
accept rate: 0%

"too many" may easily be just two or three as this threshold should normally be configured by the firewall administrator. But as you say you normally shut your computer down when not using it, it may be that your browser doesn't disconnect the TCP connections properly when it gets the termination signal from the operating system during shutdown, so they may still be alive on the server-side firewall when you start your PC next time and open your web pages in your browser again.

To confirm or exclude that, you'd have to run the capture on some other PC than the one you are shutting down - preferably on a cable between your PC and your home router (i.e. not using the wireless connection as capturing other devices' traffic at wireless interface is rarely straightforward (except if you have a new enough Mac). See Wireshark Wiki's capture setup page for instructions on how to capture other devices' traffic on a wired network.

Also, FTP is not really easy to be handled at a firewall as it uses several TCP connections at a time, one for the control session and another one for each file to be transferred, so there may be a bug in session counting in the firewall.

And there may also be a TCP or FTP handling bug in your home router as I assume that you use NAT on it, so the TCP sessions' packets aren't just transparently forwarded through it. So if there is an Ethernet cable between your ADSL or cable modem and your wireless AP, the best point to start capturing what happens is the connection between the two. If you have a a modem with wireless interface directly on it, it is almost impossible to see what happens unless you can run tcpdump directly on it.

(30 Jul '16, 10:04) sindy

Thanks for your reply, Sindy. I guess I am stuck since I do not have a second PC to use and cannot get one.

You said, "it may be that your browser doesn't disconnect the TCP connections properly when it gets the termination signal from the operating system during shutdown". My browser is already closed prior to initiating shutdown. I manually exit all foreground programs myself and then choose shutdown afterward. Either way, could any open connections really still be alive the next time I start the computer? We are talking about a minimum of eight hours (and usually more than that) where my PC is off.

I don't know what NAT is. The router is my wireless access point.

From my (limited experience) perspective, I guess I am pretty confused about all of this in general because nothing about what I do activity-wise or the equipment being used has changed in more than two years. So why would I suddenly have this problem when I never did before?

(31 Jul '16, 09:02) Sakaane

I guess I am stuck since I do not have a second PC to use and cannot get one.

As you say you first stop the browser manually, it should not be a big deal as in such case you can verify whether it properly tears down TCP connections when you close it using Wireshark running on the same PC.

I don't know what NAT is. from your internet service provider, you usually get a single IP address. If your home network is prepared for connection of more than one device (which is the typical case), the home router itself takes the address assigned by the ISP, and it must send all requests to the internet from this address so that the responses could reach it. It means that it must change the source IP address of the requests coming from the devices in your home network, and as several devices may use the same source port, it must often change also the source port. It keeps track of these changes so that when a response from the internet comes back to a given port, it can backtrack the actual destination of the response in your home network and deliver it. This is called Network Address Translation - NAT. Strictly speaking it is a NAPT (P as Port), but the latter abbreviation is rarely used.

The router is my wireless access point.

I understand this as "I have a single box which connects directly to the phone line (coax cable) and acts as a wireless AP". In this case, you would be stuck if this the cause of this issue would be inside this box.

nothing about what I do activity-wise or the equipment being used has changed in more than two years. So why would I suddenly have this problem when I never did before?

If you haven't installed any operating system or browser upgrades during these two years, and haven't upgraded the firmware of your modem/router/AP box, then something must have changed at the hosting provider's side. In that case, and if your capture shows that the browser correctly FINs the TCP sessions when closed, the only thing you may do is not to connect to those sites at all for, say, 48 hours, and then first start capturing and then open the pages in the browser and close them multiple times until the hosting provider cuts you off, and then stop the capture. This should show that the behaviour was correct at your PC, and if so, you may ask the hosting provider to check their configuration, referring to your capture files. Have a look at Tracewrangler if you feel like anonymizing the traces before handing them out to someone else.

(01 Aug '16, 02:17) sindy