This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP OPTION 0x26 added to SYN packet

0

Hello,

I just came across this very strange unknown TCP option:

Options: (28 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted, End of Option List (EOL)

    Maximum segment size: 1460 bytes
    No-Operation (NOP)
    No-Operation (NOP)
    TCP SACK Permitted Option: True
    Unknown (0x26) (18 bytes)
    End of Option List (EOL)

It is 18 bytes long and contains the MAC address and IP address of the PC:

26|12|18|a9|05|cf|58|1a|cd|01|0a|63|c0|91|22|00|00|00

Anyone any idea ? SHould i be thinking virus ?

asked 13 May '13, 06:00

geert's gravatar image

geert
16113
accept rate: 0%

edited 13 May '13, 06:01


3 Answers:

1

I have found it myself. It seems to be an option inserted by JunOS Pulse VPN software when you enable JunOS WAN optimisation. problem is that it changes all packets even when the software is not active and it is incompatible with Riverbed optimisation because it takes to much space in the TCP option headers :-)

answered 13 May '13, 14:07

geert's gravatar image

geert
16113
accept rate: 0%

As I said, a WAN acceleration solution ;-)

(13 May '13, 14:37) Kurt Knochner ♦

0

That's probably a load balancer (or a WAN accelerator) that uses this feature to add information about the original client connection (IP and MAC) to the load balanced backend server (or the next lb).

See a similar question: http://ask.wireshark.org/questions/20697/tcp-option-171-added-in-syn-packet

What is the MAC address of the packet. Maybe the vendor code of the MAC address reveals a possible load balancing (or WAN acceleration) product.

Regards
Kurt

answered 13 May '13, 06:07

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 May '13, 06:09

0

According to http://www.iana.org/assignments/tcp-parameters/tcp-parameters.xml this option is a compression setting. Looks like the client has some kind of unusual/experimental stack setup and tries to negotiate/establish additional TCP parameters.

I don't think this is a virus.

answered 13 May '13, 06:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%