Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Identifying application

From: Peter Miklosko <peter_budo@xxxxxxxxx>
Date: Thu, 7 Aug 2008 09:36:38 -0700 (PDT)
Filtering brought up exactly same IPs as I originally suspected 65.55.179.30 or 31 that belongs to madserver.net (http://www.robtex.com/ip/65.55.179.30.html)
However this how far I got previously and didn't know where to go from here.

Peter



----- Original Message ----
From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Sent: Thursday, August 7, 2008 5:02:46 PM
Subject: Re: [Wireshark-users] Identifying application

Well, since you have written to this mailing list, I assume you want
to use Wireshark to figure out what's going on. What I think you
should do is to
- capture packets with a ring buffer and without live update of the
packet list.
- wait until you face the problem and then stop the capture (if at the
point of the problem the capture doesn't stop automatically with an
error).
- save the capture.

If the capture does stop with an error at the point of the problem, it
means something causes the interface towards the ISP physically goes
down (you haven't mentioned what kind of connection you have to the
ISP). That could indicate some kind of a session timer or something
like that... not sure.

If the capture continues while there is a problem, then once you have
stopped and saved the capture you need to analyze it to see what might
be going wrong... I think a good place to start would be to find a lot
of frames at more or less the same time with TCP resets (display
filter tcp.flags.reset==set). Once you find a clump of packets with
this at around the same time as you saw the connections going down,
clear the display filter and then search upwards in the packet list to
see if there was something suspicious.

Perhaps someone else has more suggestions.

Abhik.

On Thu, Aug 7, 2008 at 7:44 PM, Peter Miklosko <peter_budo@xxxxxxxxx> wrote:
> I spoken to ISP, lease period is shorter
>
> Peter
>
> ----- Original Message ----
> From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
> To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
> Sent: Thursday, August 7, 2008 3:55:55 PM
> Subject: Re: [Wireshark-users] Identifying application
>
> Hi Peter,
>
> Have you checked the output of ipconfig /all from the command prompt?
> Perhaps your ISP has a DHCP lease period of only 1 hour and this
> somehow causes an issue.
>
> Regards,
> Abhik.
>
>
> On Thu, Aug 7, 2008 at 3:55 PM, Peter Miklosko <peter_budo@xxxxxxxxx> wrote:
>> I run Windows XP machine and have problem with internet traffic blockage
>> every hour. I may play game online or listen to online radio and loose
>> connection every hour.
>> First I thought it is my ISP, but then this will not will happen based on
>> their own timing not based on timing my machine been started. So I moved
>> with my suspicion toward anti-virus. Again wrong, anti-virus check fr
>> update
>> every ten minutes not every hour. Therefore I made some recording with
>> Wireshark. I the recorded logs I found inciminating time when it happends,
>> but unfortunatelly I can not identify which application casued this. Can
>> somebody guide me please?
>>
>> Regards Peter
>>
>>
>>
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>>
>>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> https://wireshark.org/mailman/listinfo/wireshark-users
>
>
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users