This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have a internal site at a golf course. They submit credit card transactions to an credit card firm at a site on the internet. They get multiple declines on credit cards many times each day before the transaction goes through.

We, in the network support unit, have been tasked with investigating and solving this issue. We captured traffic from the site to the credit card server on the outside of our firewall. We see the golf course host issue a SYN to begin the session, after several seconds it issues another SYN. The credit card server replies with SYN,ACK. The golf course host then issues an RST which consitutes a "decline" of the credit card. This occrs from once to 15 or more times before the transaction goes through.

I ran a test from another host issuing a TCP/443 connect to the credit card server every second for 1 day. 94% of the connects occurred in less than 100 millisec. The golf course host sees much longer delays, on the order of 3-10 seconds. I have a 58-packet Wireshark trace of this behaviour.

asked 28 Sep '10, 11:39

AbeFroman's gravatar image

AbeFroman
1111
accept rate: 0%


First thing I'd look for is Sequence/ Acknowledgement number mismatches or TCP source/destination packet mismatches in the SYN/ACK. These would cause the TCP stack on the host initiating the socket to issue a RST.

permanent link

answered 28 Sep '10, 12:10

grossman's gravatar image

grossman
16114
accept rate: 0%

The problem seems to have more to do with the delays in the response of the credit card host. The golf course host is very time sensitive. The question is why it sees delays from the credit card host by another host on our network does not.

(28 Sep '10, 13:29) AbeFroman

lots of possible reasons. My default question always is "do they have sort sort device that is doing packet priority queues"? I have seen so called "WAN accelerators" and "traffic shapers" to keep packets up to 10 seconds before actually forwarding them. In your case I would try to find out exactly which devices are between your own network and the credit card host, and then compare that to what devices are in the route from the golf course to the credit card host. If there's nothing special (like mentioned shapers etc.) you need to find out if there are devices doing Quality of Service etc.

(29 Sep '10, 15:51) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×81
×2
×1

question asked: 28 Sep '10, 11:39

question was seen: 4,241 times

last updated: 29 Sep '10, 15:52

p​o​w​e​r​e​d by O​S​Q​A