I love Wireshark. Any excuse I can get to play with Wireshark I take, even when the effort required to diagnose the problem is really above and beyond what a client needs or wants (I could just tell them it doesn’t work and it’s them not us, sorry!). Such is the case with my latest stint in packet land.
A client of mine was having issues uploading video’s to a website they use but only from a specific location. So of course I jumped on the opportunity and fired up Wireshark. After setting up port mirroring (and diagnosing a crappy intermittent cable) I was capturing traffic.
Originally I had a filter that was setup much tighter, displaying only data from the client PC to the host website (and visa versa).Once we got to about the 75% mark, something interesting happened. I received a RST, ACK + Sequence number from the website, but I didn’t see a RST from our client PC? I noted the packet number and expanded the filter to all traffic coming and going from the client PC. My train of thought here was maybe it was CDN based and it had restarted the upload on a different server, but that’s not the case. It turns out a RST was never sent from our client PC. This tells me that something else, other than the PC uploading the file has reset the connection. Unfortunately at this point I need to get out in front of the web filter this location has and they can’t afford the down time right now. I’ll follow up with a post shortly for setting up the VLAN and mirror ports on the main switch so I can get in front of the web filter without splicing up the cables. This setup will also help in the future when I go to implement an IDS (or even an IPS) for this client.