Ask Your Question
0

Looking for No traffic on Ethernet Interface

asked 2018-08-19 22:21:44 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

More specific, I have a Linux system that would at times see no inbound traffic. Not even broadcast. Local Wireshark capture will show a time gap in the capture file.

Example, WS capture will show all the broadcast the Ethernet interface receives every second...
Suddenly, at (say) 3:45:00am all traffic stops....
The next record # in the WS capture will show 4:20:05am...
And all seems to be back to normal going forward....

During the "dead" period, outside source will not be able to get to this local Linux machine. That is, it will not answer any ARP request and so no router or switch will know where it is and where to go. However, if within the local Linux machine, I just ping out once and flood the ARP table of my network. All goes back to normal as all the switch and router know what MAC goes with what IP address. It is like I have some kind of sleep situation within my local box. Very odd and weird.

Since this box is custom hardware, unlike a normal server or PC, I cannot just change things out to try easily.

Any advice on how to find those gap within a WS capture file..? I do not want to have to brute force by man power to look for gap within this file... This is to aid me in finding issues as I start swapping hardware and firmware to try to confirm if I still have the issue or I have "nailed" and fixed the problem...

Thanks for any advice, in advance....

edit retag flag offensive close merge delete

Comments

Look at the options your managed switch provides for performance data collection. This kind of behaviour I expect happens at the lowest level (L1) of the network stack, something it should have PM data on. If it collects in bins you should be able to pinpoint these events in the 15 minute bins. If your network switch is of the simple kind you won't get much help from it.

Jaap gravatar imageJaap ( 2018-08-20 05:46:09 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-08-20 05:47:24 +0000

Jaap gravatar image

Every frame has a frame.time_delta. If that is larger than some TBD value then that's it, the gap you're looking for.

edit flag offensive delete link more

Comments

Thanks..... That is the trick I am looking for...

Applying a filter like "frame.time_delta > 60" helps me find those random gap in my system. Hence, I can tell if I still have the problem or not...

aggie168 gravatar imageaggie168 ( 2018-08-20 15:51:03 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2018-08-19 22:21:44 +0000

Seen: 546 times

Last updated: Aug 20 '18

Related questions

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Random Flooding of TCP Retransmissions

How to make wireshark pop out a file when there are a lot of tcp retransmissions?

how to create a graph of the number of active tcp connections over time?

how can I graph mysql response time in wireshark

Is it possible that wireshark doesn't recognize protocol?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2