Hi there, I am no Wireshark neither packet capture expert, nevertheless I am attempting to understand why a SIP/TLS app is not behaving as expected, so I have attached wireshark to a mirrored port on our switch, which mirrors all traffic on the PBX network.
What comes to my eyes is that we have some ICMP errors:
No. Time Source Destination Protocol Length Info DSCP 1056 11:27:32.748536
172.16.4.10 8.8.8.8 ICMP 174 Destination unreachable (Port unreachable) Class Selector 6,Default
Frame 1056: 174 bytes on wire (1392 bits), 174 bytes captured (1392 bits) on interface \Device\NPF_{--------HIDDEN----------}, id 0
Interface id: 0 (\Device\NPF_{--------HIDDEN----------})
Encapsulation type: Ethernet (1)
Arrival Time: Apr 16, 2021 11:27:32.748536000 W. Europe Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1618565252.748536000 seconds
[Time delta from previous captured frame: 0.000332000 seconds]
[Time delta from previous displayed frame: 0.000332000 seconds]
[Time since reference or first frame: 56.350984000 seconds]
Frame Number: 1056
Frame Length: 174 bytes (1392 bits)
Capture Length: 174 bytes (1392 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:ip:udp:dns]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4] Ethernet II, Src: Panasoni_yy:yy:yy (xx:xx:xx:xx:xx:xx), Dst: PeplinkI_xx:xx:xx (yy:yy:yy:yy:yy:yy)
Destination: PeplinkI_xx:xx:xx (yy:yy:yy:yy:yy:yy)
Address: PeplinkI_xx:xx:xx (yy:yy:yy:yy:yy:yy)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Panasoni_yy:yy:yy (xx:xx:xx:xx:xx:xx)
Address: Panasoni_yy:yy:yy (xx:xx:xx:xx:xx:xx)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 172.16.4.10, Dst: 8.8.8.8
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 160
Identification: 0xfaa4 (64164)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment Offset: 0
Time to Live: 64
Protocol: ICMP (1)
Header Checksum: 0xbece [validation disabled]
[Header checksum status: Unverified]
Source Address: 172.16.4.10
Destination Address: 8.8.8.8 Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0xbda8 [correct]
[Checksum Status: Good]
Unused: 00000000
Internet Protocol Version 4, Src: 8.8.8.8, Dst: 172.16.4.10
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 132
Identification: 0x87a6 (34726)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment Offset: 0
Time to Live: 119
Protocol: UDP (17)
Header Checksum: 0xfb98 [validation disabled]
[Header checksum status: Unverified]
Source Address: 8.8.8.8
Destination Address: 172.16.4.10
User Datagram Protocol, Src Port: 53, Dst Port: 63882
Source Port: 53
Destination Port: 63882
Length: 112
Checksum: 0x2261 [unverified]
[Checksum Status: Unverified]
[Stream index: 12]
UDP payload (104 bytes) Domain Name System (response)
Transaction ID: 0x39f2
[Expert Info (Warning/Protocol): DNS response retransmission. Original response in frame 1055]
[DNS response retransmission. Original response in frame 1055]
[Severity level: Warning]
[Group: Protocol]
Flags: 0x8180 Standard query response, No error
1... .... .... .... = Response: Message is a response
.000 0... .... .... = Opcode: Standard query (0)
.... .0.. .... .... = Authoritative: Server is not an authority for domain
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... 1... .... = Recursion available: Server can do recursive queries
.... .... .0.. .... = Z: reserved (0)
.... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
.... .... ...0 .... = Non-authenticated data: Unacceptable
.... .... .... 0000 = Reply code: No error (0)
Questions: 1
Answer RRs: 2
Authority RRs: 0
Additional RRs: 0
Queries
mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com: type A, class IN
Name: mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com
[Name Length: 54]
[Label Count: 5]
Type: A (Host Address) (1)
Class: IN (0x0001)
Answers
mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com: type A, class IN, addr 54.178.136.218
Name: mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 20 (20 seconds)
Data length: 4
Address: 54.178.136.218
mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com: type A, class IN, addr 3.115.118.189
Name: mobile-sip-1277875736.ap-northeast-1.elb.amazonaws.com
Type: A (Host Address) (1)
Class: IN (0x0001)
Time to live: 20 (20 seconds)
Data length: 4
Address: 3.115.118.189
[Retransmitted response. Original response in: 1055]
Apparently the error is thrown by IP 172.16.4.10 (PBX) attempting to ping 8.8.8.8 (Google DNS), which is reachable. Where am I wrong?
