This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Duplicate SYN, same source port and same destination port

0

Hi,

I am looking at a trace to monitor a TCP/IP connection over GPRS and I am noticing that I see two consecutive SYN messages (with a difference of a couple of seconds) everytime there is a connection attempt. I notice that in these 2 SYN messages the source port is always the same, and there is nothing wrong at checksum level. I don't think this is being done at application level. Can you help me to understand this behavior? I can post here the 2 frames if it helps.

Best regards

asked 26 Aug '13, 04:38

cpzao's gravatar image

cpzao
1111
accept rate: 0%

Could this be related to routing issues?

(26 Aug '13, 05:06) cpzao

One Answer:

0

I see two consecutive SYN messages (with a difference of a couple of seconds) everytime there is a connection attempt

That's (most certainly) the TCP retry algorithm if there is no answer to the first SYN packet.

Typical reasons for a missing SYN-ACK:

  • A failure in the server software (TCP stack or application), where it drops the first SYN. This is rather unusual.
  • Overload on the server, which leads to a drop of the first SYN packet. This happens from time to time.
  • A firewall and/or a load balancer either blocks or drops the first SYN and/or the SYN-ACK packet. This is a rather common problem.
  • The SYN-ACK does not get through to the client, due to routing problems (backward route not correct). This happens rather seldom, and in your case the seconds SYN-ACK gets through, so a routing problem is either not involved or caused by a problem with dynamic routing protocols (works, does not work, works, does not, etc.).

The best way to figure out what's going on is to capture near (or on) the client and the server and then compare the capture files to figure out which packet (SYN or SYN-ACK) get lost at what point in the path.

Regards
Kurt

answered 26 Aug '13, 05:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%