Intermittent Pinging and Other Network Problems

[bkrosco]

We have a small lan with about 25 stations on a peer to peer network. Lately, we've been having problems with slowness and printing to shared network printers etc. After some troubleshooting it seems that what's happening is that stations are unable to even ping other stations for a period of time. Then, they will be able to ping again. One time, they'll be able to resolve by the netbios name, the next time, it gets host not found.

Any ideas?

All machines have antivirus software. I've tried changing ports on the hubs to see if there was a problem there.

Any troubleshooting advice? The thing is it's so intermittent. It happens very often, at least once every 10 minutes or so it seems.

There are 3 hubs and one switch. The equipment isn't great but it has really been a problem lately. I've started using ethereal to see what's going on but I'm not really sure exactly what I'm looking for.

I'm just wondering what could cause a problem that would even cause pinging to fail intermittently on the LAN. For example often the first ping will time out and then the following three get a reply. Sometimes, the first one goes through properly and the final three don't.

Any advice is appreciated.

 

[msy]

It seems to me that your network is overload with traffic.
may its a virus sending data randamly and overloading your network.

Try to use ethereal Network Analyzer (this free)(

http://www.ethereal.com).

then you can find out with computers are sending heaps of data.

Try to do the network analyzer before work start and during work time.

when find the computers responsible of send heaps of data, reboot them if safe mode and do a virus scan. make syre u have the latest definition file. And aslo do a windows update.

Hope fully this will help u. let me know did u go

 

[bkrosco]

Any tips for using ethereal? I've got everything plugged into 3 hubs. Any filters I should apply so I'm not looking at so much data?

 

[bkrosco]

I can see in the ethereal log where it tries to ping and is unable to, but I don't see anything that lists a reason why. It says destination unreachable (port unreachable). Later on, it pings the same address successfuly.

Is there something in particular I can do to show which host is causing the most traffic? Anything that is a sign of virus activity?

 

[bkrosco]

I can see in the ethereal log where it tries to ping and is unable to, but I don't see anything that lists a reason why. It says destination unreachable (port unreachable). Later on, it pings the same address successfuly.

Is there something in particular I can do to show which host is causing the most traffic? Anything that is a sign of virus activity?

 

[msy]

do not ping any thing.

1) Start the all the machines.
2) login to them as usual.
3) Start the ethereal and run it about 20 min
4) onece you finished in the log view , click on the source tab. so it will sort according to the IP address.

5) then check the destination address is a valid address in your netwok and also check if it is sending to the same port by expanding the deatils view.

 

[robertjo24]

Q: When you have trouble pinging between nodes, are the nodes on different hubs, or are you having difficulty pinging between nodes on the same hub?
If I walked into this situation fresh off the buss, I would start by going to a node on hub #1, ping nodes on that hub, then ping nodes on hub 2, then nodes on hub 3. I would then go to hub #2 and repeat, then on to hub #3 and do the same. It could be that a particular hub is generating excessive traffic or excessive errors/collisions.

It could also be that you are now generating more traffic than in the past between nodes causing excessive traffic across the LAN. Every hub sends everything it sees, and will only operate 10Mbit/half duplex.
Are these three hubs joined by a switch?
I would look to replacing the hubs with an unmanaged switch at the least.

One suggestion, get Paketyzer at

http://www.paketyzer.com.

We use Ethereal to do captures and analysis, but I find it is easier to analyze packet captures with Paketyzer. It gives clear statistics on where the bulk of your traffic is coming from.

Best of luck.

 

[aquias]

My first thought is to agree with Robert. But to make certain of it here is what I suggest.

I haven't used ethereal but by the sounds of it this will allow you to view what machines (if any) are sending out massive amounts of data. Run MS Antispyware on those (actually all) machines along with a virus scan, this will help to ensure you don't have a bug spamming across your network.

Next up, look to replacing the hubs with an unmanaged switch (also called switching hubs). Even if you resolve this issue I would look at doing this to increase the overall performance of your network and to lessen the overall load, and this is a very cheap swap to do.

 

[bkrosco]

Thanks for the ideas, I'll give packetyzer a try.

I have tried plugging the 4 computers that use that database into a old 10baseT switch that was laying around. They still had problems pinging after a while.

The hard thing here is if I plug two in, they'll be able to ping each other just fine at first. It's very intermittent. I could try 20min later and then not be able to ping. It's hard establishing what is having problems and what isn't.

I'm going to install 2 24 port unmanaged switches out there tomorrow. I'll see if that helps. If not, I'll have to fire up packetyzer and see if that helps any.

So far, using ethereal, I've seen problems but most of them seem to be related to not being able to resolve UNC names or NETBIOS names. That's because I'm sure at that point the two stations are not even able to ping each other much less communicate data back and forth. The thing is I need to figure out why for that amount of time they aren't able to communicate.

 

[chieftan999]

Are you using DHCP or static addresses?

Sounds like you may have an IP conflict issue!!!!!

Reamin positive. The affect on those around you will amaze.

 

[bkrosco]

Static IP addresses, so unless someone messed with their ip settings....

No one has said anything about getting the error message indicating that another computer was detected with the same ip address.

 

[bkrosco]

I tried putting in two new unmanaged switches and we still have problems. They'll be able to ping each other just fine and then suddenly, they are unable to. I've captured it in ethereal, now I just need to analyze it and figure out what's going on. I moved 7 stations that work together (ie the stations that use the database and three other stations that share a printer) to a hub and uplinked that to one of the switches. The idea is to be able to isolate these stations that I know are having problems and figure out why.

Pinging is so low level. I thought for sure the switches would solve it. Any other ideas? This one has me stumped.

 

[bkrosco]

I'm going to try pasting in some of my ethereal scan. One of the problems people are having is bringing up their printers to choose which one to print to takes forever and then often printing doesn't work. Here's what I believe is that activity in ethereal:

Source Destination Protocol Info
10.252.250.214 10.252.250.106 NBSS Session request, to DODGEFI<20> from SERVICE2<00>
10.252.250.106 10.252.250.214 NBSS Positive session response
10.252.250.214 10.252.250.106 SMB Negotiate Protocol Request
10.252.250.106 10.252.250.214 SMB Negotiate Protocol Response
10.252.250.214 10.252.250.106 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
10.252.250.106 10.252.250.214 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
10.252.250.214 10.252.250.106 SMB Session Setup AndX Request, NTLMSSP_AUTH
10.252.250.106 10.252.250.214 SMB Session Setup AndX Response
10.252.250.214 10.252.250.106 SMB Tree Connect AndX Request, Path: \\DODGEFI\IPC$
10.252.250.106 10.252.250.214 SMB Tree Connect AndX Response
10.252.250.214 10.252.250.106 LANMAN NetServerEnum2 Request, Domain Enum
10.252.250.106 10.252.250.214 LANMAN NetServerEnum2 Response
10.252.250.214 10.252.250.106 SMB Logoff AndX Request
10.252.250.106 10.252.250.214 SMB Logoff AndX Response
10.252.250.214 10.252.250.106 SMB Tree Disconnect Request
10.252.250.106 10.252.250.214 SMB Tree Disconnect Response
10.252.250.214 10.252.250.106 TCP 2261 > netbios-ssn [FIN, ACK] Seq=970 Ack=740 Win=64796 Len=0
10.252.250.106 10.252.250.214 TCP netbios-ssn > 2261 [FIN, ACK] Seq=740 Ack=971 Win=63271 Len=0
10.252.250.214 10.252.250.106 TCP 2261 > netbios-ssn [ACK] Seq=971 Ack=741 Win=64796 Len=0
10.252.250.214 10.252.250.106 TCP 2262 > netbios-ssn [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460
10.252.250.106 10.252.250.214 TCP netbios-ssn > 2262 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1460
10.252.250.214 10.252.250.106 NBSS Session request, to DODGEFI<20> from SERVICE2<00>
10.252.250.106 10.252.250.214 NBSS Positive session response
10.252.250.214 10.252.250.106 SMB Negotiate Protocol Request
10.252.250.106 10.252.250.214 SMB Negotiate Protocol Response
10.252.250.214 10.252.250.106 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
10.252.250.106 10.252.250.214 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED
10.252.250.214 10.252.250.106 SMB Session Setup AndX Request, NTLMSSP_AUTH
10.252.250.106 10.252.250.214 SMB Session Setup AndX Response
10.252.250.214 10.252.250.106 SMB Tree Connect AndX Request, Path: \\DODGEFI\IPC$
10.252.250.106 10.252.250.214 SMB Tree Connect AndX Response
10.252.250.214 10.252.250.106 LANMAN NetServerEnum2 Request
10.252.250.106 10.252.250.214 LANMAN NetServerEnum2 Response

Any ideas? I'll try to get some more info posted as to what's coming up in the ethereal scans.

 

[aquias]

You're, most likely, infected with Sasser

http://securityresponse.symantec.co....activity.that.may.be.due.to.lsass.worms.html

I would suggest to download a sasser specific cleaner to your system and see if you discover any infections.

 

[bkrosco]

I just did a capture using packetyzer. I then went to a station and tried pinging the station that has a shared printer attached to it. I go no reply. I tried pinging a couple other stations, no reply. I could ping the xincom firewall and the cisco router. I then tried pinging that same station again and this time, I could ping successfully.

So, what can I look for in this capture in packetyzer to clue me in as to what's going on? I went to the connections tab and there's nothing there that sticks out. Usage was really low. I don't have all of our stations plugged into this hub, only about 10 of them. But, I would think that would give me something to go on.

Let me know if someone is interested in me emailing them the captured packets for you to look at using your favorite program.

 

[bkrosco]

Why do you think it's sasser? According to Symantec it should be pinging multiple addresses looking for new computers to infect. I haven't really seen random pings. Mainly the ones that I've been doing for testing.

 

[aquias]

It may not be Sasser, but my by looking at your logs and comparing them to what a common LSASS virus will do, you have some extreme similarities. If this isn't an issue of a virus (I still believe you have some kind of infection), then there is some other kind of corruption with LSASS.

 

[bkrosco]

I'll posted my capture files to:

http://kohlstedt.org/files

Feel free to take a look if you want. Maybe you can help me pintpoint which ones could be infected. All of our computers have Symantec Antivirus Corp Edition and it found a couple viruses when we first installed it two months ago, but, the current problem didn't start until a couple weeks ago.

Thanks for you help.

 

[netmanrick]

I would check each pc nic and the hub port for correct handshaking;Autonegotiation will BITE you.
Sounds like Aquias has a good idea.Do not rely on any user to supply corrcet info. Verify,Verify,Verify the settings.
Good luck.

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[mavericknow]

This sounds like the same exact problem I've been having on my network. It started about 3 weeks ago and it's driving me crazy! The most noticable symptoms (from the user standpoint) are lost connectivity to a SQL server and an Exchange server. But, when I do extended pings to any server, switch, router, or desktop, I see intermittent drop outs. I have all Cisco switches (3500XL and 2950XL series). I've been running MS network monitor and the only thing that can be confirmed so far when there is a temporary drop out is that the user machine is sending packets that never make it to it's destination. Anyone have any ideas? I don't know what to do anymore.