Network Diagnostics using Wireshark

Overview

Some of the causes for network problems can be diagnosed using Ethereal. Several of the most common network issues are listed below. Packet capture .pcap files for each scenario are available to load into Ethereal.

The output in the scenarios was created using tethereal, the command-line interface to Ethereal. Loading the provided packet captures into the GUI based Ethereal will provide more interactive and visually distinct information.

Port Closed

Here we see the client 10.0.10.10 attempting to connect to the server 10.0.20.20 on port 80/tcp. The server replied to the client's SYN with a RST/ACK, indicating that no network service is listening that port.

$ tethereal -r port-closed.pcap

1   0.000000   10.0.10.10 -> 10.0.20.20   TCP 43284 > www [SYN] Seq=0 Ack=0 Win=32767 Len=0 MSS=16396 TSV=4768820 TSER=0 WS=2
2   0.000037   10.0.20.20 -> 10.0.10.10   TCP www > 43284 [RST, ACK] Seq=0 Ack=0 Win=0 Len=0

No Route to Host

In this capture, 10.254.254.254 could not be reached. The address may not be routed, there may be a router misconfiguration, or the address is too far away.

This was captured on 10.0.10.10. Here we see that when the client 10.0.10.10 tried to connect to 10.254.254.254. An intermediate router 10.0.200.5 sent an error message to the client. The Time-to-live or TTL is a field in the header of every IP packet. Each time a packet passes through a router, the router will decrement and rewrite that field as (TTL - 1). If a router ever decrements the TTL to 0, it sends an ICMP Time-to-live exceeded message to the IP Source address. This is basis of how most traceroutes operate today.

$ tethereal -r no-route.pcap

1   0.000000   10.0.10.10 -> 10.254.254.254 TCP 44526 > www [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=518747702 TSER=0 WS=2
2   0.036629   10.0.200.5 -> 10.0.10.10   ICMP Time-to-live exceeded (Time to live exceeded in transit)

No Reply

For this capture, 10.20.0.99 is firewalled or down (off the network)

This was captured on 10.0.10.10. Here we see the client 10.0.10.10 trying to connect to 10.20.0.99 but there is no reply of any kind. It may be that a firewall is configured to DROP this connect for 10.20.0.99

$ tethereal -r no-reply.pcap
1   0.000000   10.0.10.10 -> 10.20.0.99   TCP 48984 > www [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460 TSV=521386855 TSER=0 WS=2
2   2.999518   10.0.10.10 -> 10.20.0.99   TCP 48984 > www [SYN] Seq=0 Ack=0 Win=23360 Len=0 MSS=1460 TSV=521389855 TSER=0 WS=2
3   8.998194   10.0.10.10 -> 10.20.0.99   TCP 48984 > www [SYN] Seq=0 Ack=0 Win=23360 Len=0 MSS=1460 TSV=521395855 TSER=0 WS=2

Packet Loss

This was captured on 10.0.20.20. Here we see the client 10.0.10.10 sending a duplicate TCP SYN (packet #3). This implies the client never received packet #2, implying a lossy connection. The SEQ/ACK analysis of ethereal also shows us later on that packet #14 was a TCP Retransmission, further adding to the assumption that the client is connected via a lossy connection.

$ tethereal -r lossy.pcap

1   0.000000   10.0.10.10 -> 10.0.20.20   TCP 51107 > 81 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
# No. 2 will be lost somewhere before it reaches .10
2   0.000030   10.0.20.20 -> 10.0.10.10   TCP 81 > 51107 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460
# Having never received a SYN/ACK, .10 tries to connect again
3   3.028411   10.0.10.10 -> 10.0.20.20 TCP 51107 > 81 [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1460
# This SYN/ACK made it through...
4   3.028421   10.0.20.20 -> 10.0.10.10   TCP 81 > 51107 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460
# ... and .10 finished the three-way handshake
5   3.028660   10.0.10.10 -> 10.0.20.20   TCP 51107 > 81 [ACK] Seq=1 Ack=1 Win=1460 Len=0 TSV=1815080 TSER=735746186

# ... snip ...

14   3.255979   10.0.20.20 -> 10.0.10.10   TCP [TCP Retransmission] 81 > 51107 [ACK] Seq=1 Ack=462 Win=6432 Len=1448 TSV=735746209 TSER=1815084