LAN side capture has many TCP errors
I'm trying to TS a potential issue with my internet. I am using a Linksys MX4200 Velop Mesh. Ever since I upgraded my internet speed from 80 mbps to 600 mbps, I've had intermittent issues with short times where I get a 'server not found' errors. When this happens, I jump on a CMD window and try tracert and nslookup to see what's happening. It looks like I'm seeing DNS issues, I get timeouts with the nslookup cmd. But If I use the ISPs DNS server instead of the router's IP, it succeeds (most of the time).
So I'm tracing on both the WAN side and the LAN side of the router, and what I see makes no sense to me. Quite often, On the LAN side, I see a DNS request from a node on my network. On the WAN side I see FOUR requests, One for each of the DNS server address configured on the WAN side, 2 IPv4 and 2 IPv6, three of the replies return a 'Destination unreachable (Port unreachable)'. only one is returned to the host. What the heck is going on?
The issue also seems like it could be related to my TiVo streaming setup. I have the TiVo Bolt using a hardwired connection to a Cisco switch. The switch is connected to one Ethernet port on the router. When I trace this with Wireshark, on the WAN side looks pretty normal with an occasional TCP Spurious Retransmission, or ACKed unseen segment. But on the LAN side I see a huge number of TCP Retransmission, Dup ACKs and Spurious Retransmission.
I've used wireshark many times, but not for in depth analysis. I would really appreciate it if I could get pointers on how to analyze this and a possible explanation of what is going on.
I'm suspect that the router may be part of the problem. So I'm thinking of trashing it and getting a different one if I can determine if the router is at fault. I'm suspecting that the switch in the router can't handle the traffic, even though it claims to be 1Gbps
I am on Xfinity Internet and TV. (No jokes please. ;-)
What is the destination IP address and port of DNS query that fails on the WAN capture?
Thank you for replying so quickly. I have a trace filtered on DNS only of the WAN side and the LAN side taken at the same time. The traced are about 3 sec out of sync (computer clock off?). It seems I'm too new to this site and it won't let me upload files, so the hard way:
Original DNS Request LAN side:
Final reply to requestor:
Sequence of packets captured on WAN side.
(more)The DNS addresses are correct. Can you decode the ICMP Unreachable messages? It will have the header information of the original packet. I didn't want to make the assumption it is udp port 53.
SORRY, MY BAD. I read your messages backwards. The router sends queries to both DNS servers. There aren't any time stamps. Were both DNS queries sent at the same time or did the first one timeout? It could be a DNS timeout and the port is no longer valid. Is there any capture of the LAN side to determine if the router forwards the DNS response?
Since I can't upload the traces, here they are on Drop Box: DropBox: Wireshark
You will see that the WAN packets are captured in exactly the order shown. The four DNS request are sent almost at the same time, and the response arrives about 10ms later after all the requests were sent. There is about a 3 second offset between these two files (likely due to compute time is off).
I figured DNS requests can't contain very much private data, let me know if I'm mistaken.