This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can anyone explain how to look at Wireshark logs please?

0

I captured several logs to see if I could identify connection issues for a p2p multiplayer game, but i have no idea how to look at the logs. I mean, sure, i can activate expert information view, but what do i do next? How do i even tell which packets belong to the process in question? I dont see any option to filter by process name...

Here are some of the logs if anyone might be able to help?

http://www.mediafire.com/file/1a43o4i3awrcmvu/rhyka.pcapng

http://www.mediafire.com/file/04sr0ictuehlw6j/kelly.pcapng

http://www.mediafire.com/file/cy5x5q0qwccwsak/wireshark.pcapng

Are there any error codes or anything i should be looking at? The most ive managed to identify is a few TCP retransmissions, but i dont know if that means anything.

TCP port 27005 is probably the most important, and UDP traffic as well (Not sure which UDP ports though).

asked 17 Feb '17, 13:00

Question's gravatar image

Question
6224
accept rate: 0%

edited 23 Feb '17, 18:46

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118

While trying to figure out why I had trouble connecting to my friend in a p2p multiplayer game, I ran wireshark and noticed that I got this error :

Source : Me Destination : My friend ICMP 103 Destination unreachable (Port unreachable)

(IP addresses removed)

The packet is colored black in wireshark. I'm confused by why the port is unreachable. A second person was able to connect to my friend with no problems. I was able to connect, but the connection was extremely bad, which may be related to this error.

I also dont understand why the protocol is listed as "ICMP". It should be a TCP or UDP connection. The packet directly preceding this error was a UDP packet from my friend to me.

Can anyone advise on how im supposed to figure out why the port was unreachable for me? A third party was able to connect to my friend at the same time, so he is not blocking all ports.

When I double click the packet, it opens up some more info in a window but doesnt tell me why the port was unreachable.

Is there a way for me to paste the packet data here or something?

And why does the forum keep saying my comment is spam?

(18 Feb '17, 13:52) Question

Paste bin with the two packets in question : http://pastebin.com/cvKfb1h6

What im trying to understand is the reason for the port unreachable error. DOes it mean that my friend tried to send a packet to me but the port was unreachable, or that I tried to send a packet to my friend but his port was unreachable?

(18 Feb '17, 15:23) Question

Wow...this forum is pretty dead.

(20 Feb '17, 00:39) Question

no, the forum is pretty much alive, but there's not guarantee to get an instant answer - people are picking questions that they are interested in when they have time to answer. So please be patient, especially since you posted a lot of content already.

(20 Feb '17, 01:16) Jasper ♦♦

One Answer:

0
I also dont understand why the protocol is listed as "ICMP". It should be a TCP or UDP connection. The packet directly preceding this error was a UDP packet from my friend to me. Can anyone advise on how im supposed to figure out why the port was unreachable for me? A third party was able to connect to my friend at the same time, so he is not blocking all ports.

The ICMP message is sent by your Win7 PC. This indicates that the udp socket which was successfully receiving data stopped doing so. So nobody in the network is doing this. alt text

It is your local application that closed the udp socket and only the developers of that application can figure out why (assuming there are no external messages written to an application log).

So you will probably not get the answer you desire from this wireshark site.

answered 20 Feb '17, 04:08

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

edited 20 Feb '17, 04:24

grahamb's gravatar image

grahamb ♦
19.8k330206

@mrEEde : Okay let me confirm this. You are saying that wireshark reports that packet 14091 is me trying to send data to my friend, but the port was unreachable?

I dont know why you are saying that the "only the developers of that application can figure out why"...because doesnt wireshark list the reason right there? That the port was unreachable?

I did more testing and managed to identify the possible cause of the connection problems, but I do not know the reason for WHY.

Basically i had my friend run a upnp test utility and he reported that the ssdp/upnp host services weren't running. He set them to running/automatic, and I was suddenly able to connect to him with no issues.

Based on that, it looks like I wasn't able to connect to him properly because his port was not being forwarded and he has NAT. The problem is, nobody else was having issues connecting to him...so obviously the port was open for them, but closed for me.

Im guessing wireshark wont help me figure out why the port was closed for me specifically?

(20 Feb '17, 07:52) Question
2

Wireshark shows you WHAT happened (at least from the point of view of the capture site), but can't generally tell you WHY. It's a packet analyzer, not a <insert general network issue> problem fixer.

(20 Feb '17, 08:05) grahamb ♦

"Okay let me confirm this. You are saying that wireshark reports that packet 14091 is me trying to send data to my friend, but the port was unreachable?" No, your friend sent a udp packet to you but your udp socket was closed in the meantime (after 12:55:22.496 UTC)

(20 Feb '17, 13:01) mrEEde

@grahamb : So how do i figure out why a port is unreachable?

@mreede : Okay that doesnt make sense..that screenshot doesn't tell me much because it doesnt include source/destination IPs or packet numbers. Im also not sure which capture file this is referring to since i posted 3 different ones.

Looking at the time stamps, I think its the file labeled "wireshark", the 3rd one. The problem with that packet is that the port closed because I disconnected from the host by that point. So thats normal.

Did any of you take a look at the paste bin I posted? Because thats the important one :

http://pastebin.com/cvKfb1h6

This occured when I was attempting to connect to my friend who was hosting a p2p multiplayer game.

I have had people tell me two different scenarios based on that pastebin. Some people say that it is me failing to reach my friend's port, some people say that it's my friend failing to reach my port. I cannot tell who is correct.

If it is my friend failing to reach my port, this makes no sense at all because the connection problem is solved by my friend (the host) enabling upnp for his PC.

(20 Feb '17, 15:20) Question

"I have had people tell me two different scenarios based on that pastebin. Some people say that it is me failing to reach my friend's port, some people say that it's my friend failing to reach my port. I cannot tell who is correct."

Neither is correct. An ICMP Type 3, Code 3 message ("Destination Unreachable, Port Unreachable") does not mean "unreachable" from a routing perspective. It does not mean that the packet is not able to physically reach the destination system. In fact, the packet did get there. "Destination Unreachable, Port Unreachable" means that the packet was rejected because nothing on the destination system is listening on that port.

(20 Feb '17, 15:28) Jim Aragon

@Jim Aragon : Thanks for that explanation. What would be the wireshark message if the packet was rejected because the port was blocked instead?

(23 Feb '17, 14:03) Question

A well-behaved firewall that has been configured to block a port will usually just silently discard packets for that port, so there will be no packet in Wireshark and therefore no Wireshark message.

(23 Feb '17, 17:35) Jim Aragon
showing 5 of 7 show 2 more comments