This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Debugging internet disconnects with wireshark

0

Hello, we have been experiencing problems with our home network and I am now reaching out for help in tracing the problem. The problem is that atleast two computers on the home network are getting disconnected on a regular basis (some days it happens more frequently and some days it doesn't happen at all. By disconnected I mean that the internet stops working (e.g. a YouTube video stops playing, a game loses connection to the server etc, but it never says that the computer was disconnected from the router network name). When a computer gets disconnected, it still works on all the other computers (not every device on the network is affected by each disconnect).

Today the problem happened when I watched a YouTube video (the video stopped playing with an error message). I opened up WireShark and started capturing and this is what I got:

Below are links to 4 images from the capture (I'm sorry to have to link to these instead of embedding them as images, but the image size looked weird when I tried to do that).

My computer sends ARP requests asking for the owner of the routers IP (192.168.1.9): imgur

There's also some NBNS (netbios?) packets from the other computer which also experiences the problems (but not at the time of this capture) - Another fact: we tried disabling Netbios on that computer but we still get these ISATAP messages: imgur

After a while, lets say 30 seconds, the router responds to my ARP requests and I can then use the internet again: imgur

The NBNS packets still continues after the ARP respond: imgur

To clarify:

192.168.1.236 was the computer experiencing the problem and the machine which captured the logs with WireShark (runs a linux distribution)

192.168.1.34 the machine sending the NBNS packets (which may not be related to the problem at all) (runs Windows 7)

My question is: Is it possible to draw any conclusion from this log as to what the problem may be? Is it possible to narrow down the search to finding the problem? What else can I do to track the problem?

Thank you in advance for any information you can share on this subject!

asked 14 Feb '15, 13:30

steelman's gravatar image

steelman
11113
accept rate: 0%


One Answer:

0

ARP is used to find the mac-address (ethernet hardware address) of a system. If 192.168.1.9 is your router to the rest of the world. When your system 192.168.1.236 is ARPing for 192.168.1.9, it means it timed out the entry for 192.168.1.9 from its cache (this is normal behavior to make sure you have the right address in the cache even when the network has changed). So far, so good.

The fact that your router is not quickly responding to the ARP request is the source of your disconnects. Without the ARP response, you system does not know anymore where to send the data destined to the Internet anymore. Since YouTube works with TCP, your system still needs to send ACK frames telling YouTube that it received data packets.

Have a look at the router firmware version and check whether there is a newer version available that might solve this issue. If there is not, you might want to raise a support call with the vendor.

answered 15 Feb '15, 01:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%