This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I am completely new to WireShark and have been struggling to find out why random telnet sessions (Windows XP clients to an older SCO Unix) have been getting dropped lately. We have been working fine since 2000, but over the last couple of years the dropped sessions started, but lately have gotten worse. I was able to download and run WireShark on one of the PC's that experienced a dropped connection today. It's a 15 or 20mg pcap file. I don't know what I am looking for and/or how to interpret the output. Can someone point me in the right direction? Thanks.

asked 20 Sep '11, 12:58

markc's gravatar image

markc
1112
accept rate: 0%


First, I would filter on telnet sessions since that seems to be the problematic application. To do this you could put a filter into the filter bar saying tcp.port==23 (unless your telnet sessions runs on a different TCP port; in that case substitute the port number 23 with whatever you're using). Take a look at the packets and see if there is anything unusual; since Telnet is ASCII based you could use the "Follow TCP stream" filter on session to see what is going on

Next, check if you can find TCP reset packets (filter for that would be tcp.flags.reset==1). TCP sessions that get terminated often have reset packets at the end, but if you don't you still might see Telnet sessions suddenly stopping to work. In that case it might help to do captures both at the telnet client and the telnet server at the same time to compare what is going back and forth. Maybe something in the middle is doing mayhem to the connection for whatever reason.

permanent link

answered 20 Sep '11, 15:48

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you Jasper. It helps to have a pro like yourself, providing some guidance....I really appreciate it. The Unix box is very old (scheduled to be replaced in a couple of months) and right now, some telnet sessions are better than none, so rather than screw something up trying to install WireShark on a system that I am not comfortable working on, AND is on its last leg...is probably not going to happen. However; I am certainly going to review what I have per your suggestions and will report back. If you or anyone else has any other thoughts, I would be eternally grateful to help me get our telnet sessions to a semi-reliable state.

I could be persuaded to try it on the Unix box if someone has had a similar situation and can help guide me through it.

Another thing that seems to exacerbate the telnet dropped connections is when I RDP from my Mac to a Windows server on the LAN, and/or if there seems to be a lot of network traffic. I had the Unix box on the same switch as the other users and tried moving it to its own switch with an uplink to the original switch but eventually the dropped connections come back.

(21 Sep '11, 07:26) markc

Sorry if I left a few things out, but I never recommend installing Wireshark on a box that is having trouble. Captures should always be done on a 3rd, passive box, that listens to a SPAN/Monitor/Mirror port on the switch the box to be captured is connected to. If you don't have manageable switches (thus: no SPAN) you might try using a MiniSwitch or Hub to help you to get to the data.

Regarding RDP - as far as I see it RDP will try to reestablish dropped connections, but that doesn't change the fact that the old connection was broken. Looks like there is some real trouble in your network.

(21 Sep '11, 07:39) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×41
×23
×20

question asked: 20 Sep '11, 12:58

question was seen: 3,663 times

last updated: 21 Sep '11, 07:39

p​o​w​e​r​e​d by O​S​Q​A