This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

network connection intermittently hangs at same byte

0

my server randomly hangs during centos yum update. I changed my centos mirrors couple times thinking it was related with the other server but I still experience the same problem. Here is tcpdump from my server https://www.cloudshark.org/captures/773ec35205bb

I tried downloading same file couple times and it either gets stuck on 8,354,960 bytes or downloads whole file without the problem. I am having trouble understanding what is causing this.

Has anyone come across similar issue? I would appreciate if you could guide me where to start troubleshooting. I was thinking it could be faulty cable but its weird that it always hangs at same spot or never hangs at all...

asked 07 Jul '17, 15:01

igagnidz's gravatar image

igagnidz
11114
accept rate: 0%

edited 07 Jul '17, 15:03


One Answer:

0

This looks like something is blocking a very specific pattern, because your client is requesting a retransmission via DUP ACKs near the end of the connection and never receives anything, finally giving up after 8 seconds. Especially if the problem always happens on the same offset it could point to some security device causing this.

If I were you I'd try to download the file from another network, excluding the normal network path your packets are taking, just to check if the same thing happens.

You tagged your question with "error" and "overlaps", but I think those are not really happening - you captured on the local machine that is part of the problem, and a capture like that is heavily biased - you can tell by seeing

  • incorrect TCP checksums - if those were real the packet would have been destroyed, causing massive retransmissions
  • large incoming packets > 1518 bytes, indicating "receive offloading" happening (these are not jumbo frames, because your MSS is 1460)

So the capture quality is simply not good, and you can ignore those "errors". In case you're interested: to get correct capture results, capture on SPAN or TAP with a dedicated capture machine.

answered 07 Jul '17, 16:13

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you @Jasper. I will contact my ISP to see if they have some firewall on gateway that can cause this.

(08 Jul '17, 14:24) igagnidz