errors in wireshark log

[think2]

A few weeks ago I asked about how to capture wifi messages because of a problem we're having at my Bridge club we're our tablets sometimes have a problem getting feedback from the scoring PC.

https://community.ubnt.com/t5/UniFi-Wireless/how-to-log-wifi-traffic/m-p/2691423#M371460

We have two ubiquiti ap ac pro access points and Lenovo tablets. We've found one of the problems which is that the scoring PC is taking too long to send the result back - the tablet times out after two seconds which is too short.

The second problem is that some tablets have a problem getting feedback all night. Turning the wifi off and on often helps but it usually goes wrong again, soon after. Last night I captured messages at the scoring PC using wireshark and for IP address 192.168.1.58 there are a huge number of errors for that IP address and the people using the tablet with that address reported the tablet had lots of problems all night. The capture file is here
https://drive.google.com/open?id=1VO-fDnAnvejaNo3zm3sFxKlvtdTJmKEw

It shows that the tablet is sending lots and lots of TCP resets and retransmissions. Can anyone suggest what the cause of this is? The problem is not associated with any one particular tablet - lots of them do it at different times. They are Lenovo TB3 710F running Android 5.0.

Thanks for any suggestions.

 

[JackMDS]

You seem to act with an assumption that your current hardware "Fit" to do what you want them to do, that the size of a network that your are using is OK, and it is just a matter of find something wrong in your current system.

My believe is the Tablets by there own design are Not meant to work in such a Network situation.

To solve such a problem you might need a step by step research spending (could be large amount) funds to re-build a network that can do what you want it to do.

You probably need a much faster server, many more APs and might be other type of tablets.

The fact that each Tablet have a Good signal with the current Network does not mean that when large system has to work in tandum it has the hardware capacity to do so.

 

[think2]

Your comments are nonsense. The traffic sent between tablets and the scoring PC is very very small - maybe something like a total of 2000 TCP connections over a three hour period across all tablets - ten a minute. Windows can handle 220000 simultaneous TCP connections.

 

[JackMDS]

Your comments are nonsense.

LOL!!! Thank you for your appreciation and tutoring. "6 no trump".

I guess that 40 years of computer engineering with emphasis on Networking is not enough for a bridge Club.

 

[mxnerd]

Googled.

https://ask.wireshark.org/question/...dup-ack-and-retransmission-wifi-interference/

https://serverfault.com/questions/143910/finding-cause-of-tcp-retransmission-within-a-lan

Unable to help beyond this. Not my strength.

 

[mxnerd]

Found that Wireshark's Analyze menu - Expert Information shows there are a lot of connections on port 9000 if you click open each line.

Better check what app is using that port.

https://www.auditmypc.com/tcp-port-9000.asp

 

[think2]

Thanks, that's helpful. Here's some more detail

A tablet that is struggling to get feedback is sending a TCP connection reset (RST) right at the start of the TCP transaction e.g. - (source port is 57727)
2136.258745 192.168.1.58 192.168.1.10 57727 -> 9000 [SYN] Seq = 0
2136.258893 192.168.10.1 192.168.1.58 9000 -> 57727 [SYN,ACK] Seq = 0
2136.354344 192.168.1.58 192.168.10.1 57727 -> 9000 [RST] Seq = 1
2137.256806 192.168.1.58 192.168.10.1 57727 -> 9000 [TCP Retransmission] Seq = 0
2137.256901 192.168.10.1 192.168.1.58 9000 -> 57727 [segment not captured, port numbers re-used]
2136.354344 192.168.1.58 192.168.10.1 57727 -> 9000 [RST] Seq = 1
Often the TCP reset comes back really fast - 3 milliseconds e.g.
2254.954148 192.168.1.58 192.168.1.10 54281 -> 9000 [SYN] Seq = 0
2254.954254 192.168.10.1 192.168.1.58 9000 -> 54281 [SYN,ACK] Seq = 0
2254.957301 192.168.1.58 192.168.10.1 54281 -> 9000 [RST] Seq = 1

I've compared the [SYN,ACK] sent by the PC against a successful one and there is no difference.

 

[think2]

Found that Wireshark's Analyze menu - Expert Information shows there are a lot of connections on port 9000 if you click open each line.

Thanks for looking at it. 2000 connections is about right - over three hours.

 

[mxnerd]

I'm a novice on Wireshark, can't really help much unless I learn something new by accident.

But like I said, you better find what app is using that port. (Well, maybe that's the port used by BridgeTab server?)

 

[think2]

That's ok. 9000 is the port the Bridge Scoring app on the PC listens on.

 

[dave_the_nerd]

How many tablets?

Dodgy wifi like that is usually either too many devices connecting to the WAP or tablets with cheap NICs that can see a signal from the WAP just fine, but aren't powerful enough to punch a signal back to it. (In both cases, the devices will report a "good" or "excellent" wifi signal, but connections will cut in and out.)

Get a single tablet and a single WAP within arms reach and LOS of each other and see if you can replicate the problem. If you can't, add tablets and move crap around until you do.

Wifi can also be messed with by external sources of interference. Even fluorescent lighting.

Is the wifi network accessible for other client devices? If you've got 50 people with 50 tablets, the device count could be 100+ once everybody's cell phone connects. Reasonable limits for Ubiquiti devices are listed as 50-250 per WAP, depending on the model. IRL it's usually half whatever the company pretends it is.

 

[dionasaur]

Just a few thoughts:

How far apart are the 2 Access Points?
Are they broadcasting the same exact SSID?

As I have recently done tuning of Unifi APs, this has helped tremendously in resets and retransmission errors as I had issues with endpoints bouncing between access points because radio settings were set on auto.

 

[mxnerd]

The BridgeTab software looks like a VB6 program, which is only single threaded.
http://www.bridgetab.com/html/control_program.html

Really wonder how many concurrent connections the software can handle.
http://www.vbforums.com/showthread....-of-open-connections-you-can-have-via-winsock

==

But even that, I don't understand why so many ACKs?

 

[think2]

I posted a question on a wireshark forum and some incredibly observant person noticed that for the SYN -> ACK messages that open a TCP connection, the source mac address in the SYN is different to the destination mac address in the ACK sent by the PC i.e. the ACK is going to a different access point than the SYN arrived on. Every time this happens a spurious reset occurs. For a successful connection the two mac addresses match on every message I checked. From filtering the wireshark log against one mac address and then the other, 50% are from one access point and 33% from the other one. They should all be from the same access point.

At the moment the two access points have exactly the same SSID and password. We're going to try switching one off or giving them different SSIDs.

@mxnerd - Thanks for looking at it. I think the messages at time 135 are because the tablet is setting itself up. The messages at time 360 are the tablet getting sent the name and registration number of every registered Bridge player in my entire country. I'm even in there!!

@dionasaur - the two access points are around 50 meters apart and fairly high up - more than a normal ceiling. Ah, now that I read your post again I see you've pointed out what the problem is. Our tablets are indeed set up to swap access points when necessary - and they appear to be bouncing like you say!! Thanks.

@mxnerd - wow, great link about VB6. The software is indeed ancient looking. I thought maybe even a "TK" gui it looks so bad. We actually have two problems, the mac address one plus the tablet has a two second timeout where if it doesn't get a response within two seconds it prompts the player to "retry or skip". On some nights we get masses of timeouts. The software maker has given us a new version of tablet software with a configurable timeout to help with that.

@dave_the_nerd - the two access points involved are used only by the Bridge tablets. We have another access point for members who have the authorisation to use it - e..g the manager etc. I didn't know flourescent lighting could affect wifi but the clubrooms are surrounded by apartments and there's a ton of 2GHz signals coming into the building.

Thanks all. Your help is much appreciated.

 

[dionasaur]

@think2 Awesome! Hope you are able to get more stability now