This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark capture stops showing packets…even though my server is definitely receiving client traffic

0

0 down vote favorite share [g+] share [fb] share [tw]

I'm looking into a potential network issue. On a dev box I've been noticing mysteriously FIN/ACK and RST/ACKs that are breaking comm between my client and server. However, before I can start to tackle that I need to know why a capture session just seems to go dead. Both endpoints are 2008.

Problem: I'll start a capture session and see all the expected traffic, then after a short period of time, not packets come through anymore...which is wrong because I can see the client's request in my server logs, and my server is taking actions that I can observe based upon these requests. Where are these packets, why can't I see them?

Here's the filter I'm using when I run wireshark at the server:

ip.src == [client IP] && ip.dst == [server IP] && tcp.port == [listener port on server]

Note 1: One other note: If I kill WireShark and start it back up it works again for a little bit then stops.

Note 2: The RST/ACK frames have a win=0, len=0. What should I deduce from this?

Note 3: There is only one client and one server, so I should be having to worry about organizing chatter between discrete clients.

asked 09 May '12, 08:07

KMarks's gravatar image

KMarks
1112
accept rate: 0%

edited 09 May '12, 08:13


One Answer:

0

First of all, you should never capture data on either client or server, but use a third device to listen in on the conversation (by using SPAN/Monitor Ports, TAPs, etc). Too many strange things can happen if you do local captures, for example what you're experiencing with the capture showing no further packets. It can be related to local firewalling, too much load on the server, or other things where the OS keeps Wireshark/Dumpcap out of the loop.

To address your note number 2: RST (Reset) packets always have a window size of zero, and a length of zero. They terminate a communication, and window=0 means "no more receive buffer available", which is consistent with a session termination. Len=0 means "no TCP payload", which is also correct, because a session termination does not have any.

answered 10 May '12, 01:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%