This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark ‘fixes’ network issue - but how?

0

Hi All.

Here's the situation. My company has two sites. The two sites are connected via a sonicwall VPN. We have a licence server that provides software licences via UDP port 5093 at one of the sites. Clients local to that site can pull licences without a problem. Clients at the remote site cannot.

If i start wireshark on a remote client and perform a packet capture of all traffic on UDP 5093. that client 'magically' works and pulls a licence off of the licenece server.

I'm trying to understand why that might be to help me troubleshoot the issue. Can anyone help?

Many thanks, Matt.

asked 03 Apr '13, 07:57

mac_xpert's gravatar image

mac_xpert
11113
accept rate: 0%


One Answer:

1

Wireshark by default enables promiscuous mode on the network adapter on which it captures. This means the NIC will now forward all packets to the IP stack instead of just the unicasts for its own mac-address and the broadcasts (and subscribed multicasts).

You can check whether that's indeed the reason for the license to work by capturing again, but this time without enabling promiscuous mode (in the capture options). If the licensing now fails again, it was indeed the promiscuous mode that made it work magically...

The next thing to do is find out why the returning packets from the license server are not being forwarded by your NIC. What is the destination mac-address in those packets? Is it a multicast address to which the NIC is not registered? Is it a wrong unicast mac-address?

answered 03 Apr '13, 08:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the reply. I'll test your suggestion. I have found a fix for the problem, but i'm not sure what the root of the issue is yet. If i set the MTU on the local network adapter on the client PC down to 1370 then the licencing works perfectly, wheras at the standard 1500 setting it gave us problems.

(03 Apr '13, 09:09) mac_xpert

In that case, have a look at fragmentation at the IP layer. VPN's encapsulate packets and can therefore create packets which are too big for the network. IP will then fragment them if the DF bit is not set or will send an "ICMP fragmentation needed, but DF bit set" back to the sender when the DF is set.

You can set up your VPN devices to alter the MSS value in the TCP SYN packets to make sure all (TCP) packets are small enough to not need fragmentation. However, this will not solve things for UDP. What protocol does the licensing application use?

(03 Apr '13, 10:00) SYN-bit ♦♦