1
1
I was facing a weird problem on the LAN today.
If i have some TCP connection open, then that would work perfectly fine, but the rest won't. For example, if I am logged into G-Chat (the chat in the gmail), then the chat would continue to work perfectly as it would under normal internet connection. However, if I tried to open even google.com and/or open gmail, the connection wont establish as if my net is down.
To confirm my suspicion, I started streaming an online video (when I could), the same thing happened in between. The video continued to buffer perfectly with the same good speed as if my net is perfectly fine, but none of the other sites opened up.
Since the socket or TCP connection was already established, I believe that once a connection is established, it works but the rest of packets are being "stolen" or redirected to one or some particular addresses in the LAN.
So my question is what activity and/or software is capable of performing such a task and how does it work exactly?
Also, is there a way to stop it?
Any help is much appreciated.
start wireshark and observe the traffic. If you see some RST or FIN flags out of place this might be the cause. Identify if gchat and streaming video are not using UDP while other traffic is sent via TCP. use netstat to observe if connection to websites is 'ESTABLISHED' or maybe it stays in the status 'SYN_SENT' – mnmnc – 2012-12-18T14:07:28.473
The chat is on TCP connection and the videos are on UDP. I didn't quite understand the wireshark check you asked me to do. What would indicate RST or FIN being out of place? I am naive on this front. I will also check the netstat when this thing next happens. – None – 2012-12-18T14:15:23.607
TCP connection is established after 3way-handshake. First packet is sent with a specific BITS set - this setting is called a flag. There are multiple flags but the one used during the connection are SYN and ACK. First you send SYN packet to the server. If everything is ok you will receive SYN and ACK in one packet and respond with ACK. Then packets fly with PSH flag while transfering data. After all is sent you should receive FIN with last packet. If something goes Wrong you will get RST most probably. If you will see RST - check if this is from the web server you are accessing. – mnmnc – 2012-12-18T14:20:38.593
Okay, it happened again. I did the netstat. the status for some was ESTABLISHED which I believe are the tabs in browser which were already opened. and SYN_WAIT for the ones that I tried to open. – None – 2012-12-18T14:30:44.987
This means Firewall or proxy between you and the server is limiting your connections or filtering some specific ones based on the criteria. You might want to speak with your ISP about that. It is possible that QOS is setup and it is limiting you to specific - like 10 - concurrent connections - this will prevent you from establishing the new ones once you reach the limit. Try closing the browser, look at netstat and when TIme_wait for previous connections disappear - try again to access webpage. – mnmnc – 2012-12-18T14:37:04.607
it cannot be the firewall or the proxy settings because this only happens when there are other users on the LAN. ( I nmaped). Whenever I am the only one on the network, or someone next to me (where I can see the activities happening), this doesnt happen no matter what. The QOS is also not setup that way because this is occuring at certain times when there are other people on the LAN. I am able to establish 100 different connections otherwise. I checkedusing simple scripts etc to make and keep the connections. – None – 2012-12-18T14:42:12.263
Then check if your switch or router is not overloaded, overheating, cam flooded etc. If this happens only for your PC and not on the other s - change your MAC address - switch with other PC from the network and give your MAC to other PC. Check it this will fix your problems. If yes - then it is a setting on the router if not - it is your PC/NIC. If this happens for all PC it is a hardware fault - router or switch or global software settings/policy. – mnmnc – 2012-12-18T14:53:14.350
are you sure there is no software on the LAN that can cause this? I ask only because I remember vaguely hearing about a download accelerator which could do so. I dont remember exactly, hence couldnt really find something substantial on google. – None – 2012-12-18T14:57:02.447
Note that you need to perform
ipconfig /releaseandipconfig /renewafter changing you MAC if there is a DHCP server on the network – mnmnc – 2012-12-18T14:58:56.263If download accelerator would cause something like this - this would be very poorly developed/designed software. But i'm not a specialist in this matter unfortunately. – mnmnc – 2012-12-18T15:14:11.790
^yeah, i know about the ipconfig/release and renew..thanks :) and yes, it would be poorly designed but there is all sort of stuff out there, so just wanted to make sure. – None – 2012-12-18T15:42:11.007