OSQA is unmaintained. Help us figure out where to go from here.

Working with a small network with about 30 nodes. Occasionally, traffic just stops and the internet isn't available (big problem). The capture wasn't running when the network went down, but started afterwards. If anyone could help me understand what may be the cause, it would be greatly appreciated and may help me get more understanding of how to use Wireshark.

Capture File Link

asked 13 Jul, 08:03

egregory6's gravatar image

egregory6
62
accept rate: 0%

edited 13 Jul, 08:23

grahamb's gravatar image

grahamb ♦
19.4k330204

It is not clear from your description whether internet seemed to be inaccessible throughout the whole capture or whether it came up before even starting the capture or during the time the capture was running.

The capture definitely does contain active TCP sessions between private and public IP addresses, so the statement "traffic just stops" does not match the contents of the capture. Maybe some specific applications stop working?

If the Issue happens, what do you have to do to restore traffic? Or it restores spontaneously after a while?

(13 Jul, 09:54) sindy

Internet traffic was not working for desktops when the capture started but resumed in the second half (not sure of the exact timing). I was able to connect to the router through the network so "traffic just stops" is completely incorrect (sorry). The router says it was disconnected from the internet.

The Windows networking icon in the Taskbar displays "No Internet Access".

What seemed to correct it was disconnecting all switches from the router for a few minutes (after recycling power on the switch, router & cable internet box).

In the previous occurrence, I disconnected all cables from the switch and plugged them back in one at a time. It worked afterwards but no luck in identifying an offending device.

(13 Jul, 10:12) egregory6

As the first thing, as you mention a cable modem, I would think of some issues in IP address assignment from your cable provider. Do you have a static public address, or the provider changes it from time to time, or you don't know?

Can you mirror the port of your router which connects it to the cable modem and capture there?

(13 Jul, 10:43) sindy

One warning, there is a POP3 e-mail download in the capture where the recipient's address (and the spam message itself) can be read in plaintext, which may not be exactly what you wanted.

Other than that, if you use Statistics -> I/O Graph, set up a display filter eth.src == a0:21:b7:6f:5c:45 && !(ip.src == 192.168.0.0/16) && !arp for the graph, and set time interval to e.g. 10 s, you'll see how much IPv4 traffic from the internet was coming at different times.

(13 Jul, 11:17) sindy

So most likely the reason can´t be seen in the trace anymore because:

< The capture wasn't running when the network went down, but started afterwards.

(13 Jul, 12:21) Christian_R

@egregory6 from your prev. comment I would assume that you had a loop in your network.

(13 Jul, 12:28) Christian_R

@Christian_R, a broadcast storm in the LAN would be likely if not for

I was able to connect to the router through the network (...) The router says it was disconnected from the internet.

So unless there is some really funny network topology (like router's WAN and LAN interfaces in the same L2 segment), I'd still vote for some issue between their router and their ISP.

(13 Jul, 12:33) sindy

I removed the linked file because of the plain text email.

I can't mirror port - unmanaged switch that will be upgraded.

Thanks for the help. I have some good ideas from the community. You folks are awesome! I wondered about a loop and I've ordered a static IP. I'll keep digging.

(13 Jul, 12:35) egregory6

@egregory6, don't rely too much on the static IP because it may still be assigned using DHCP, and it is even quite likely. "Static" would only mean that the address will be reserved for you so you would always get the same one, but the DHCP expiration would still be there, unless you explicitly agree with the ISP on static settings at your side (which their product department may not approve). I was asking just to exclude DHCP as a potential cause if you would say that your router's WAN interface already had a static address configured locally.

Gigabit switches capable of traffic mirroring can be purchased for about USD 50,-. Netgear GS105Ev2 and Mikrotik RB260GS are good candidates (I have no idea whether any of them is available in your country, though).

In your situation, I would place a mirroring switch between the router and the cable modem and dedicate one PC to capturing the mirrored traffic into a circular file buffer using dumpcap which can run "forever" without running out of memory. And as soon as the issue would pop up, I'd stop the capture (or just ask someone to disconnect the cable from the switch if I'd be away right at the necessary moment).

(13 Jul, 12:52) sindy
showing 5 of 9 show 4 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×545
×36

question asked: 13 Jul, 08:03

question was seen: 107 times

last updated: 13 Jul, 12:52

p​o​w​e​r​e​d by O​S​Q​A