Ask Your Question
0

Meaning of Several "No response found" but ping from pc working

asked 2018-03-07 19:43:55 +0000

anonymous user

Anonymous

updated 2018-03-07 19:57:04 +0000

Hi everyone,

I have an issue with several Computers that get stuck for several seconds but ping between PC and router Mikrotik or server seems just fine latency 1-10ms only ...

The trace file shows several times "no response found" followed by "reply in xxx" and "Request in xxx"

What is wireshark trying to tell me ?

Thank you for the time

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted
0

answered 2018-03-25 08:14:55 +0000

Jim Young gravatar image

The trace file shows several times "no response found" followed by "reply in xxx" and "Request in xxx"

What is wireshark trying to tell me ?

From reviewing your capture.

Apply a display filter of "icmp" and it may make it easier to see.

An IPv4 ping is implemented using ICMP echo request and ICMP echo reply packets. When Wireshark sees either one of these packets it attempts to find the the expected peer packet in the current trace file. The system sending the request includes an id and a seq field. The seq field typically increments by one with each subsequent request. The reply packet simply echos these values back to the sender of the request where they are correlated and reported to the user.

Within Wireshark the value of the seq field, by default, is displayed twice delimited by a "/" character; once as big-endian number and the other as little-endian number. The seq is displayed twice because some ping implementations (e.g. Microsoft Windows) write the seq number field into the packet in a different byte order then your typical *nix systems do.

Wireshark attempts to do request/response tracking.

In the case of "Echo (ping) request" packets, if the peer packet is found, the message "(reply in xxx)" is displayed where xxx is the packet number of peer echo reply packet. But if the reply packet is not seen then the message "(no response found)" is displayed.

In the case of the Echo (ping) reply packets, if the peer packet is found the message "(request in xxx)" is displayed where xxx is the packet number of the peer echo requests packet. There is no "(no request found)" message displayed when no corresponding request can be found for a reply.

Here is where is gets interesting.

Your trace file shows lots of ping reply packets that have no "(request in xxx)" messages in them. Unless you have something spoofing ICMP echo replies (very unlikely), this implies the packet trace was captured from a point or interface where it did not see the request that solicited the reply. This can happen when you have multiple nic interfaces on a host and the request was received on one interface but the reply exits on a different interface (the one you were capturing).

But focusing on the few packets where you did have ICMP Echo requests, you in fact have two copies of each request followed by two copies of each reply which can cause some confusion. Specifically look at frames 10, 11, 12 and 13.

Frame 11 is a duplicate of the frame 10 echo request and frame 13 is a duplicate of the frame 12 ping reply. Wireshark's request/response tracking appears to break down in this case. Wireshark associates frame 11 (duplicate) reply with the frame 12 (original) reply and declares the frame 10 (original) request as "(no response found)". And it does not pair the frame 12 (duplicate) reply with either frame 10 (original) nor 11 (duplicate ... (more)

edit flag offensive delete link more
0

answered 2018-03-07 20:23:42 +0000

cmaynard gravatar image

What is wireshark trying to tell me ?

Without a pcap file to examine to be sure, Wireshark is very likely trying to tell you that it has a bug, probably Bug 11414.

edit flag offensive delete link more

Comments

do you have an email to send it to, here i am not allowed to send pcap file ...

Matthias gravatar imageMatthias ( 2018-03-07 21:29:04 +0000 )edit

Put the capture file on a public share and post a link back here by editing your question. You can use a share such as CloudShark, Google Drive, DropBox etc.

grahamb gravatar imagegrahamb ( 2018-03-07 21:44:53 +0000 )edit
Matthias gravatar imageMatthias ( 2018-03-07 22:07:57 +0000 )edit

there is an WIFI antenna in between but the pings from other side is great, no loss but complains from side x.x.101.195 it is slow to other end ending with x.x.2.10 and x.x.2.4

Matthias gravatar imageMatthias ( 2018-03-07 23:00:52 +0000 )edit

Well, unfortunately I can't access any files on Drive from within my corporate environment.

Website filtered by Websense 
Reason: This Websense category is blocked: Personal Network Storage and Backup. 
URL: https://drive.google.com/file/d/1Vr4G_e5W7SGpboIHpH_h9t6Mxjxh4ofr/view?usp=shari ng
DATE: 03/08/2018
USERNAME: Maynard Chris
IP ADDRESS: X.X.X.X

Sharing capture files has been a longstanding problem; perhaps one day a more elegant solution will be realized. In the past, Joe McEachern from QA Café (Cloudshark) offered up the Wireshark project a Cloudshark appliance. I hope one day for a solution such as this. More details/links in my comments to this question.

cmaynard gravatar imagecmaynard ( 2018-03-08 02:17:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-07 19:43:55 +0000

Seen: 3,501 times

Last updated: Mar 25