US Robotics 9110 Downloads Freezing...

  BBez 14:50 01 Oct 06
Locked

Hi, just installed a USR 9110 Wireless router click here and am experiencing severe headaches with downloads freezing at 100%, but not completing.

If say it's a 100MB file, it'll (whatever download manager or browser i use) sit on 100% with 99.9MB completed. The only way to get the file is to cancel and re-download, but, this is doubling my bandwidth usage.

I'm sure it's the router because i'm testing the same files at my girfriends who is running a BT Voyager 210 router and the same links are downloading fine...

I'm using the wireless functions of the USR 9110 as the kids have a PC in their bedroom and i have the router firewall enabled. I've also flashed the firmware to latest version as soon as it came out of the box.

I'm sure there is something up with configuration that is closing the TCP/IP connection just short of download completion but can't work out what it is...

Running XP SP2 with patched "tcpip.sys" file click here as i had to increase the number of available connections from 10 to 50...

The main problem is with rapidshare files that i need to get from my work, so i can finish documents etc at home.

The problem exists in:

Firefox
IE
Flashget
RapidGet

all with the same results of dl's hanging at last few kb's of data, but, seemingly random with the files...

  ade.h 17:39 01 Oct 06

Download and run a network analyser to monitor the sustained download rate and sniff for dropped packets, particularly towards the end of each large download. Because of the other uses for such software, I won't provide any specific links but instead suggest that you search Google and/or the popular download sites.

  BBez 16:31 02 Oct 06

thanks, i'll try Ethereal as i used it at uni a lot...

  BBez 23:48 03 Oct 06

Managed to finally capture a failed download. Getting a lot of Duplicate ACK's...

Warnings:

Summary,Group,Protocol,Count
Sequence,TCP,Previous segment lost (common at capture start),991
Sequence,TCP,Fast retransmission (suspected),605
Sequence,TCP,Out-Of-Order segment,14
Sequence,TCP,ACKed lost segment (common at capture start),9

Notes:

Summary,Group,Protocol,Count
Sequence,TCP,Retransmission (suspected),2343
Sequence,TCP,Window update,39
Sequence,TCP,Duplicate ACK (#1) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#2) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#3) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#4) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#5) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#6) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#7) to ACK in packet #270,1
Sequence,TCP,Duplicate ACK (#1) to ACK in packet #292,1
Sequence,TCP,Duplicate ACK (#1) to ACK in packet #304,1
Sequence,TCP,Duplicate ACK (#2) to ACK in packet #304,1
Sequence,TCP,Duplicate ACK (#3) to ACK in packet #304,1
Sequence,TCP,Duplicate ACK (#1) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#2) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#3) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#4) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#5) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#6) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#7) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#8) to ACK in packet #414,1
Sequence,TCP,Duplicate ACK (#9) to ACK in packet #414,1

lots more before end of file, ommited to save forum load...

Sequence,TCP,Duplicate ACK (#1) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#2) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#3) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#4) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#5) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#6) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#7) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#8) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#9) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#10) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#11) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#12) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#13) to ACK in packet #182009,1
Sequence,TCP,Duplicate ACK (#14) to ACK in packet #182009,1

Is this the router that's failing to update the window size or is it at the server end as i believe RS servers are using SSL recently...

Could it be the patched tcpip.sys file i'm running..?

any help thanks, i've got the hammer sitting on top of the router at the moment ;~)

  BBez 19:21 04 Oct 06

OK, now know that the above behaviour is normal, what is happening is my PC is not sending the FIN control signal although i'm not sure which way.

click here for info on how i came to this conclusion.

Also my router firewall's security log keeps listing a TCP FIN Scan which i'm thinking now it's the router that is causing the connection problem...

Log from Router:

10/04/2006 17:54:02 **TCP FIN Scan** 192.168.2.100, 1363->> 145.97.39.156, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1517->> 62.103.124.7, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1474->> 199.245.238.13, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1419->> 141.146.8.66, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1368->> 63.214.183.124, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1489->> 68.142.213.135, 80 (from ATM1 Outbound)
10/04/2006 17:53:50 **TCP FIN Scan** 192.168.2.100, 1506->> 82.71.193.208, 80 (from ATM1 Outbound)

Router Intrusion Detection Config:

click here

Any help appreciated as i don't want to disable the router's firewall...

  ade.h 20:07 04 Oct 06

Excellent image - thanks for that. The TCP FIN wait time controls how long the firewall waits for activity to start again, so you might have some success by increasing those figures. You won't do any harm by doing so at least. click here for a bit of blurb about TCP, which has a good diagram that shows what the FIN wait does.

  BBez 20:55 04 Oct 06

thankyou for the link ade.h.

Have a better understanding of what Wireshark is telling me now.

Will sit and capture for a while and see what is going missing during sessions...

  BBez 21:09 05 Oct 06

Finally got to the bottom of this. Somehow a rootkit had got into my system and was killing the TCP FIN on my connection.

AVG and trojan scanners didn't detect it due to the rootkit being a silent install, very sly.

Anyways, when i had a TCP FIN WAIT connected to an Oracle DBA connection i figured something was up, found this out with netstat...

Still, learned a lot about TCP / IP connections and states...

Thanks for the pointers ade.h, wouldn't have sussed this out without the help...

  ade.h 21:50 05 Oct 06

No problem - it was certainly a tricky one. Thanks for the feedback.

Out of interest, which rootkit scanner did you use?

  BBez 06:36 06 Oct 06

I gota hold of a rootkit disc which included a util called GMER click here this let me to look at netstat -a and confirm something was not right...

4 years of Networking at uni wasn't a complete waste of time then as i never gained employment through it.

Hadn't even heard of rootkits before, just hoping the DBA site wasn't connecting up to my bank logins etc... gonna chamnge all passwords tonight after work... thanks again...

Barry

  BBez 06:42 06 Oct 06

forgot to mention that the router was indeed functioning correctly as the TCP FIN SCAN's have dissapeared...

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…