Wireshark-users: Re: [Wireshark-users] Analyzing a "broken" FTP session
Date: Fri, 21 Aug 2009 08:11:18 -0400
John - on top of what Sake said...
You still may not be able to identify what 'broke' just from a trace file. It really may not be connectivity-related - depending on what happened. Just yesterday I was handed a 'broken ftp' problem to try and figure out what went wrong and also as a learning opportunity. In my case, swapping out a Cisco 6509 chassis 'broke' the ftp process on one of our servers. [Or at least that's the causality from the server team's perspective...until I find and explain what really happened.] Basically, when the chassis was swapped, the connection to the server was reset. [Solaris 9] The connection was shut down and turned up (not plumbed) and that didn't fix it. Then someone changed the subnet mask on one of the interfaces and it started working again.

Apparently the cable is connected to an interface with 2 IP addresses. There's an IP address for the physical interface and an address for the VIP. Both addresses are on the same /24 address space and it works with one as a /16 and the other as a /24. Only one of the two has a DNS entry. With both addresses as a /24, the ftp process (intiated by some java script) would go to the VIP and an error message would be generated:
reply ==>501 IP Address for data destination doesn't match client's.<==
Changing the VIP to a /16 allowed it to ftp to the correct address (the one with the DNS entry).

A trace file is useless in this type of situation - since I already know 'why' the ftp itself fails (in the reply message above). However, it still does not really get at the 'root cause' of the failure. At this point, from the server team's perspective, the loss of connectivity to the network caused all this to happen. And, as you can see there may be a lot more to it than there first appears. FTP is a simple protocol - but it touches a lot of complex parts.

BTW - If anyone knows where on the Sun docs to find more in-depth information about the networking process - especially stuff about VIPs and localIP addresses, please send a link my way. Most of what I've found is all Networking 101 and the last thing I need is another tutorial about subnetting or basic networking itself... What I need to know is how Sun does it (or does it differently). There used to be a Sun CD that covered just networking, but I can no longer find where to get it. The training that I found includes networking in a larger package, but not focused on it. [I don't want to run servers, just understand more about how they interact with my network.]

TIA
Lori


----- Original Message ----- From: "Chivian, John" <jchivian@xxxxxxxxxxxxxx>
To: <wireshark-users@xxxxxxxxxxxxx>
Sent: Thursday, August 20, 2009 10:36 PM
Subject: [Wireshark-users] Analyzing a "broken" FTP session


Group:

I'm not sure if this is the correct forum for this but I am hoping to get some help identifying a problem that sometimes occurs between an FTP client and server. (If this isn't the right forum can someone point me in the right direction?)

I have PCAP files made on both systems using tcpdump that have captured a recent failure, but I do not have enough expertise in packet analysis or the guts of the FTP protocol to read them and draw a definitive conclusion regarding why the connection "broke".

If someone can help I am happy to provide more information regarding the systems themselves, the network topology between them, and the trimmed PCAP files for analysis.

  Thanks in advance, JC

---

John (JC) Chivian
Staff Software Engineer
Staff Unix/Linux Administrator
Corporate Information Systems
Photronics, Inc.

mailto:jchivian@xxxxxxxxxxxxxx
http://www.photronics.com

---

This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. This communication may contain Photronics' confidential information. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.

---

Environmentalism is an ethic and a way of life. Pass it on!


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe