This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tcp retransmission vs tcp port numbers reused

0
1

Hi,

I'm currently debugging an issue where HTTP and HTTPs requests are sent to the switch web server using a wget script from crontab every minute from a workstation. After 1-2 hours the switch resets it self(reboots). When connecting wire shark i see alot of TCP re transmission requests just before the switch loses its ip hangs and resets. I also see alot of ARP request in the wire shark asking to resolve the switch ip when the switch hangs.

In the older builds this issue isn't present. I ran this test similarly on the same switch with an older build. The switch does not reset it self and in the wire shark logs i see 'tcp port numbers reused'.

Is this an area to suspect as to why the switch resets itself?

asked 19 Jun '15, 04:36

V_A's gravatar image

V_A
1122
accept rate: 0%

Older builds of what, Wireshark?

What version(s) of Wireshark are you using, and where in the network are you making the captures? A diagram of the network would help, along with a capture file exhibiting the problem. Use TraceWrangler to anonymise the capture if you need to.

(19 Jun '15, 05:13) grahamb ♦

older builds of the switch software, i'm using wire shark 1.8.10, ill upload both captures. The topology looks like:

wireshark on linux box ----switch---dhcp server

How do i upload the capture?

(19 Jun '15, 05:31) V_A

YOu can use cloudshark at https://appliance.cloudshark.org/upload/

(19 Jun '15, 12:47) mrEEde

I tried uploading the capture, but my files are 8MB in size. I'll capture again and try with smaller files..

(22 Jun '15, 04:49) V_A

One Answer:

0

Is this an area to suspect as to why the switch resets itself?

sounds like a firmware bug that's triggered by

  • the number of frames (counter overflow)
  • a byte pattern in the traffic
  • too high temperature
  • anything else you can imagine

I would be surprised we you would see the reason for this in the capture file. I would rather suggest to enable debug logging in the switch and monitor that via the serial console.

When connecting wire shark i see a lot of TCP re transmission requests just before the switch loses its ip hangs and resets.

That's (most certainly) because the switch has already stopped forwarding frames a few seconds before it reboots.

I also see a lot of ARP request in the wire shark asking to resolve the switch ip when the switch hangs.

Strange. Who asked for the switch MAC/IP?

Regards
Kurt

answered 19 Jun '15, 13:26

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 19 Jun '15, 13:27

Hi Kurt,

Thanks for your inputs.

Since the switch resets, there is no crash data or logs saved. One error message i observed when connecting the debugger was this:

I/O: [err] evsignal_init: socketpair: Too many open files

would the switch reset because there were many tcp connections? Is that plausible?

ARP requests was coming from the IP of the linux box connected to the switch, which was sending the http/https requests. where should i start debugging?

(22 Jun '15, 04:47) V_A