This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

my server randomly hangs during centos yum update. I changed my centos mirrors couple times thinking it was related with the other server but I still experience the same problem. Here is tcpdump from my server https://www.cloudshark.org/captures/773ec35205bb

I tried downloading same file couple times and it either gets stuck on 8,354,960 bytes or downloads whole file without the problem. I am having trouble understanding what is causing this.

Has anyone come across similar issue? I would appreciate if you could guide me where to start troubleshooting. I was thinking it could be faulty cable but its weird that it always hangs at same spot or never hangs at all...

asked 07 Jul '17, 15:01

igagnidz's gravatar image

igagnidz
11114
accept rate: 0%

edited 07 Jul '17, 15:03


This looks like something is blocking a very specific pattern, because your client is requesting a retransmission via DUP ACKs near the end of the connection and never receives anything, finally giving up after 8 seconds. Especially if the problem always happens on the same offset it could point to some security device causing this.

If I were you I'd try to download the file from another network, excluding the normal network path your packets are taking, just to check if the same thing happens.

You tagged your question with "error" and "overlaps", but I think those are not really happening - you captured on the local machine that is part of the problem, and a capture like that is heavily biased - you can tell by seeing

  • incorrect TCP checksums - if those were real the packet would have been destroyed, causing massive retransmissions
  • large incoming packets > 1518 bytes, indicating "receive offloading" happening (these are not jumbo frames, because your MSS is 1460)

So the capture quality is simply not good, and you can ignore those "errors". In case you're interested: to get correct capture results, capture on SPAN or TAP with a dedicated capture machine.

permanent link

answered 07 Jul '17, 16:13

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you @Jasper. I will contact my ISP to see if they have some firewall on gateway that can cause this.

(08 Jul '17, 14:24) igagnidz
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×193
×78
×20
×14
×2

question asked: 07 Jul '17, 15:01

question was seen: 534 times

last updated: 08 Jul '17, 14:24

p​o​w​e​r​e​d by O​S​Q​A