Printer Error

asked 2020-05-01 14:54:18 +0000

smacznego
3 ●1 ●2

I am new to this community. I was looking forward to Sharkfest in KC.

I have the PCAP on a ShareSync/SecuriSync but don't know if it is copacetic to put links to files on here. If so I can put up the link. Setup is the print server, 172.20.250.99 is sending the print job over our VPN (we have no other issues with over 80 sites) to printer 172.20.101.230. You can print other files to this printer over the VPN. And I can print this exact file to the same printer model and driver in another location. The TCP window gets negotiated at 1360 and the stream follows that guideline. After the handshake there are just a plethera of ACK's followed by a RST from the printer. I'm stumped. Admittedly I don't understand how to interpret these and as a network administrator that is embarrassing. But that is why I am trying to get into these communities and go the Sharkfest. I am unable to upload any files yet as I don't have enough points yet. Thank you for any help!

edit retag flag offensive close merge delete

Comments

You can put the capture file on a public share and post a link to it back here. Just make sure there's nothing embarrassing or confidential in the file first.

grahamb ( 2020-05-01 15:10:23 +0000 )edit

https://sharesync.serverdata.net/us/s... thank you!

smacznego ( 2020-05-01 15:17:51 +0000 )edit

add a comment

answered 2020-05-01 16:27:28 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

updated 2020-05-01 17:05:55 +0000

Everything seems to be going fine until the printer end of the connection (.230) sends a RST.

The only thing of note I see is that all the packets from the printer except the RST have a TTL of 63. The RST packets have a TTL of 249 which makes me think they're being sent by a different device than the printer, maybe the VPN.

Can you repeat the capture at the printer end, maybe you'll need a tap?

edit flag offensive delete link

Comments

Interesting. That capture was from the printer network. I can try taking a capture from the server end. Unfortunately I'm using Meraki equipment at both ends. I say unfortunately for a lot of reasons but in this instance their PCAP process is not hands off. Even though I set time constraints it tries to use intelligence to say "well I see nothing so I'm going to stop the capture". I do have a tap and I could set up a mirror on s a switchport if I need to.

smacznego ( 2020-05-01 16:42:31 +0000 )edit

After your comment, I looked at the Meraki firewall and there was a rule blocking a "MICROSOFT TELNET BUFFER OVERFLOW" rule blocking the transmission. Good grief. Thank you for your help!! Is there a way to set the TTL as a column in Wireshark? I tried right-clicking that field and I am not able to get any submenu.

smacznego ( 2020-05-01 17:01:11 +0000 )edit

Now how do I make your comment the resolved answer for this thread?

smacznego ( 2020-05-01 17:02:43 +0000 )edit

Should be able to right-click the field and select "Apply as Column". I mistyped earlier when I mentioned "TCP TTL", should of course be IP. I've corrected my answer.

grahamb ( 2020-05-01 17:05:43 +0000 )edit

I see now the capture is close to the printer (the delta time between the SYN and SYN ACK is very small) but it still seems that there is something between the capture point and the printer, hence the different TTL.

Anyway if the issue has been resolved you can accept the answer by clicking the checkmark icon next to it.

grahamb ( 2020-05-01 17:10:52 +0000 )edit

see more comments

Printer Error

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Printer Error edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Printer Error