Friday, July 29, 2016

How To Confirm Which NIC a Failed telnet

Attempt is Going Out Using Wireshark


I was troubleshooting why a FIX session was failing to connect over the Internet, when it worked the previous night.  Initially I thought that the connection was going out the incorrect interface.  Recently, I’d added a virtual NIC to the virtual machine, and realized that some traffic that was previously going over the NIC with Internet connectivity was now going over the new NIC (which is connected to our internal management network).  I defined a route to ensure the traffic to the FIX session in question would go out the Internet-facing NIC, but wanted to confirm absolutely that the traffic was going out that interface (because otherwise, it would never reach the Internet).  I ran a continuous telnet test to the IP and port and fired up Wireshark.  I initially tried to filter in the port in question, but saw no traffic.  So, I tried several other Wireshark filters to try to see packets related to the failing telnet test:
  • tcp.port==xxxxx
  • udp.port==xxxxx
  • telnet
  • ip.addr==the IP I was trying to reach


No packets whatsoever in Wireshark.  What the heck?  Admittedly, I’m a relative networking newbie, so I don’t have a firm grasp of the protocols and packets used by a telnet connection attempt.  What was I finally able to use to figure out that the traffic was absolutely going out the Internet-facing NIC?  I filtered on the ARP protocol (Wireshark filter arp) on a whim, and was able to see that the request for the IP address in question was indeed going out that interface. In this example, the ARP "who has x.x.x.x?" told me the traffic was going out the correct interface.

ARP "who has x.x.x.x?" packets
Now to go find my firewall colleague to tell me if the traffic is indeed reaching the Internet. If it is, then the issue is likely at the site that I'm trying to connect to....