This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Need help interpreting TCP packets

0

I need help analyzing the logs that are presented by Wireshark. I need someone that knows how to interpret the packet traces involving some handheld scanners in a warehouse. Something has happened to the network traffic in the last 2 weeks making the scanner connections unstable. Before that the network was performing well. We ran a trace using Wireshark but need an expert to help us in interpretation and diagnosis. We see a lot of retransmitted TCP packets (both normal and “spurious”) and a lot of reset packets in the log. Now every 15 minutes or so we get a lost connection error on the wireless devices which forces the user to reconnect. Is there a way to isolate the problem to a specific device or network node?

asked 07 Jun '16, 12:00

jdm77's gravatar image

jdm77
6112
accept rate: 0%

Is there a way to isolate the problem to a specific device or network node?

Yes, there is, but you gave no details about your network topology, and a single Wireshark trace (taken at a single capturing point) is not enough.

In wired networks, you have to take two captures simultaneously, one at the server end and another one on the scanner end, and see the difference - packets sent at one side but never reaching the other one. After doing that, you would move the capturing point one network segment closer to the source of packets which get lost and do the two captures again. After several such steps, you should be able to identify a network element which causes the loss. But it may well be a passive one (a broken cable or connector).

In wireless networks, the process may be much more complex, as the packet loss may be caused by radio interference from other wireless networks or even completely other equipment. But unless you have a single AP to which all scanners and also the server are connected wirelessly, there should still be plenty of space for isolating the issue to a limited set of network elements.

A sketch of the network topology should be your starting point, so that you would be able to identify the part of the path between the scanners and the server which is common for all scanners which exhibit the issue.

Publishing the sketch would raise your chances for getting a more targeted advice here.

(07 Jun '16, 22:11) sindy