Heroes of Packet Analysis Quiz
12: What clues can we offer around the synchronization failures?
Two database servers in a hospital synchronize with each other 7x24, updating each other on the flow of lab results; clinicians then consult these lab results to make care decisions. Intermittently, this synchronization process fails for hours at a time, requiring manual intervention to restore. The databases speak the HL7 protocol, a protocol for which Wireshark does not contain a dissector: Wireshark can only show us Layers 1-3.
A. The TCP Stack inside 10.10.80.102 contains a bug which caused it to miscalculate where it was in the TCP stream (TCP Ack arithmetical error), breaking the TCP conversation.
B. The TCP Layer is fine, which suggests that the Network is correctly transmitting frames; look for bugs in the Client’s or Server’s implementation of HL7.
C. The Network dropped a huge number of frames between 604 and 605; look for a major Network outage during that period.
D. This pcap is flawed: the Packet Analyzer dropped a huge number of frames between 604 and 605, causing Wireshark to misinterpret what it sees. Capture again, but this time use a hardware analyzer, like a ProfiShark, to reduce the chances of dropping frames.
Who asked the question:
System Engineer at Allen Insitute
Specializing in transport, monitoring, and packet analysis, he provides mentoring and communication training, teaches Root Cause Analysis workshops, and coordinates the efforts of multiple groups interacting with multiple vendors to solve problems or design solutions. He also runs skendric.com.
Read his White Papers › In-Line Tapping in the Data Center
Join the conversation
Find us on one of the following social platforms to get a sneak peek into the network monitoring world.
Be Part of the Team
We are always on the lookout for passionate people, who are open to change and innovation.
Check the Careers Page