3

I am having issues with my FTP servers.

Connecting, sending and receiving fail sometimes, and it is not consistent.

I manage to capture and filter by IP the packets, I just need pointers on what can I do from there as I don't fully understand the capturing.

Here is a screenshot

http://i.stack.imgur.com/nvqcj.jpg

Here are the log from the server when failing

Error:  Connection closed by server
Error:  Connection timed out
Error:  Could not connect to server
Status: Delaying connection for 5 seconds due to previously failed connection attempt...
Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Error:  Connection timed out
Error:  Could not connect to server
Status: Delaying connection for 5 seconds due to previously failed connection attempt...
Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Error:  Connection timed out
Error:  Could not connect to server
Zoredache
  • 128,755
  • 40
  • 271
  • 413
Al Pacino
  • 31
  • 1
  • 3
  • 3
    If all packets have header checksum error, ignore it. It means the computer has offloaded checksums to the NIC. – Barmar Apr 29 '14 at 20:13
  • 2
    If it is only failing sometimes, then what you need to do is get a capture of what a good connection and bad connection looks like. Then look for differences. If you have intermittent success though a capture may not be the right place to look. You may be better off enabling verbose (debug) logs on your ftp server. – Zoredache Apr 29 '14 at 20:14
  • @Zoredache should I add successful transfert capture to my post, or should I add more verbose to my server log? the server log didnt help much so far – Al Pacino Apr 29 '14 at 20:23
  • @Barmar Ok I will ignore, can you give me any tips to troubleshoot network issue on FTP server. It just too inconsistent i cannot find a pattern – Al Pacino Apr 29 '14 at 20:47

1 Answers1

1

To properly understand what is happening, take a look at the TCP 3 Way Handshake. In a nutshell, it goes a little something like this:

Client 1 >>>>>>SYN>>>>> Client 2
Client 2 >>SYN ACK>>>>> Client 1
Client 1 >>>>>ACK>>>>>> Client 2

The session is now established, where Client 1 is the machine/node that initiates the connection. Once established, the proper termination of a connection is a similar exchange of

Client 1 >>>>>>FIN>>>>> Client 2
Client 2 >>FIN ACK>>>>> Client 1
Client 1 >>>>>ACK>>>>>> Client 2

Although that doesn't always happen. I also see that the connection was RST, you can probably guess what that means. Not sure why you're connection is being randomly reset, but it looks like it's the client that's resonding with a RST,ACK but your screenshot doesn't show a RST sent by the server. You should do this, and then update your question:

  1. Disconnect from the server
  2. Clear all wireshark logs
  3. Filter based on server IP
  4. Start capture
  5. Try to connect
  6. Stop capture after connection fails
  7. Display only a single TCP Stream

Add the new pic. If it's easier, I believe the PCAP file is text based, meaning you can open it up in your favorite text editor, do a find/replace on your IP addresses, save it back and either upload it here, or link to pastebin or something.

MDMoore313
  • 5,531
  • 6
  • 34
  • 73