I have two captures from each firewall for two sites connected by VPN tunnel. From the sending side host (site1) capture, Wireshark is reporting many TCP Zero Window and Update flags coming from the receiving side (site 2). Looking at the receiving (site2) capture, there are no TCP Zero Window and Update flags reported but only TCP retransmissions and Dup Ack. Having two sided captures, I would expect to see same TCP Zero Window and Update for the receiving side but that’s not the case.I would like advice on what’s the best way to analyze to rule out if it could be firewall issue or the client themselves. asked 03 Oct '13, 15:32  ws2006 |
One Answer:
It looks like you're expecting the captures to show the same packets taken at the same time in two different locations, so first thing to do is to verify if that assumption is correct or if the packets aren't from the same connections. To do that I'd filter on the SYN packets only (tcp.flags=0x02) and compare the TCP initial sequence numbers. If you can't find a match you have some sort of proxying going on, which means that matching the sessions will be very difficult since the TCP connections are completely different. In that case you need to find out why this happens, and what kind of devices are involved (maybe some normal Proxy, maybe WAN accelerators etc.). If you can find the same SYN packets on both sides you just go and filter on the session, and not by TCP stream number, because it may be different. Use a conversation filter instead, meaning that you filter on IP and port of both client and server. After that, you need to start comparing the single packets of the conversations to see what is different. answered 03 Oct '13, 22:54  Jasper ♦♦ |
