This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I interpret this capture in terms of client application failing to successfully connect to server?

0

Hi everyone. I'm an application administrator but my TCP knowledge is minimal. I have done some research trying to work this out on my own but feel like I'm going to need help to make any real progress.

So... here goes. I have one particular customer site from which nobody can successfully connect to our server. They are able to telnet to the correct port. I have over 100 other users from various sites logged in daily who are all working fine. This leads me to believe that the app and networking on my side are ok. The customer is maintaining that there is no problem on their side. They have provided me with the capture below taken from their firewall (x is the client machine, y our server). Please let me know if there's any other information I can provide. And thanks!!

  1 0.000000    x.x.x.x            y.y.y.y         TCP      66     56951 > dnp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
  2 0.048124    y.y.y.y         x.x.x.x            TCP      66     dnp > 56951 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 WS=1 SACK_PERM=1
  3 0.048459    x.x.x.x            y.y.y.y         TCP      54     56951 > dnp [ACK] Seq=1 Ack=1 Win=131072 Len=0
  4 0.048841    x.x.x.x            y.y.y.y         TCP      218    56951 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=164
  5 0.096858    y.y.y.y         x.x.x.x            TCP      582    dnp > 56951 [PSH, ACK] Seq=1 Ack=165 Win=64076 Len=528
  6 0.348782    x.x.x.x            y.y.y.y         TCP      218    [TCP Retransmission] 56951 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=164
  7 0.394633    y.y.y.y         x.x.x.x            TCP      54     [TCP Dup ACK 5#1] dnp > 56951 [ACK] Seq=529 Ack=165 Win=64076 Len=0
  8 0.950533    x.x.x.x            y.y.y.y         TCP      218    [TCP Retransmission] 56951 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=164
  9 0.962175    x.x.x.x            y.y.y.y         TCP      66     56952 > dnp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
 10 0.997604    y.y.y.y         x.x.x.x            TCP      54     [TCP Dup ACK 5#2] dnp > 56951 [ACK] Seq=529 Ack=165 Win=64076 Len=0
 11 0.997818    x.x.x.x            y.y.y.y         TCP      54     56951 > dnp [RST] Seq=165 Win=0 Len=0
 12 1.009475    y.y.y.y         x.x.x.x            TCP      66     dnp > 56952 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 WS=1 SACK_PERM=1
 13 1.009887    x.x.x.x            y.y.y.y         TCP      54     56952 > dnp [ACK] Seq=1 Ack=1 Win=131072 Len=0
 14 1.010024    x.x.x.x            y.y.y.y         TCP      218    56952 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=164
 15 1.059002    y.y.y.y         x.x.x.x            TCP      582    dnp > 56952 [PSH, ACK] Seq=1 Ack=165 Win=64076 Len=528
 16 1.059155    x.x.x.x            y.y.y.y         TCP      54     56952 > dnp [RST] Seq=165 Win=0 Len=0
 17 1.357846    x.x.x.x            y.y.y.y         TCP      66     56953 > dnp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
 18 1.405527    y.y.y.y         x.x.x.x            TCP      66     dnp > 56953 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 WS=1 SACK_PERM=1
 19 1.405893    x.x.x.x            y.y.y.y         TCP      54     56953 > dnp [ACK] Seq=1 Ack=1 Win=131072 Len=0
 20 1.406046    x.x.x.x            y.y.y.y         TCP      430    56953 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=376
 21 1.453000    y.y.y.y         x.x.x.x            TCP      378    dnp > 56953 [PSH, ACK] Seq=1 Ack=377 Win=63864 Len=324
 22 1.453199    x.x.x.x            y.y.y.y         TCP      54     56953 > dnp [RST] Seq=377 Win=0 Len=0
 23 1.453931    x.x.x.x            y.y.y.y         TCP      66     56954 > dnp [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
 24 1.501033    y.y.y.y         x.x.x.x            TCP      66     dnp > 56954 [SYN, ACK] Seq=0 Ack=1 Win=64240 Len=0 MSS=1380 WS=1 SACK_PERM=1
 25 1.501399    x.x.x.x            y.y.y.y         TCP      54     56954 > dnp [ACK] Seq=1 Ack=1 Win=131072 Len=0
 26 1.501536    x.x.x.x            y.y.y.y         TCP      430    56954 > dnp [PSH, ACK] Seq=1 Ack=1 Win=131072 Len=376
 27 1.549034    y.y.y.y         x.x.x.x            TCP      378    dnp > 56954 [PSH, ACK] Seq=1 Ack=377 Win=63864 Len=324
 28 1.549141    x.x.x.x            y.y.y.y         TCP      54     56954 > dnp [RST] Seq=377 Win=0 Len=0

asked 21 Jun '13, 06:15

colby's gravatar image

colby
1111
accept rate: 0%

One Answer:

1

For the first connection on port 56951 the client sends a request (frame 4), the server acks and responds with data (5) and the client doesn't seem to receive the response as it retransmits the request (6), the server acks again (7), the client retransmits the request again (8) then the client appears to give up on that connection and opens another to port 56952 (9), the server again acks the original request (10) and then the client resets that original connection (11) without actually closing it (no FIN).

For the 3 subsequent connection attempts the client sends a reset as soon as the server responds.

Something odd is going on on the client side, the server is behaving correctly. Even if the application data response was incorrect, the client should at least ack it.

answered 21 Jun '13, 09:56

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%