I am trying to understand the flow of TCP dump data from my server to client. On viewing packets i notices a strange single byte packet which i am not able to interpret its occurrence reason(wthr KEEP ALIVE or zero window probe or regular data packet).
UnIdentified Packet:
13:19:10.247447 IP (tos 0x0, ttl 59, id 50276, offset 0, flags [DF], proto TCP (6), length 53)
172.250.10.10.13824 > 172.11.105.5.49524: Flags [P.], cksum 0x6c72 (correct), seq 1456962400:1456962401, ack 3097881588, win 17680, options [nop,nop,TS val 634650466 ecr 44786420], length 1
0x0000: 4500 0035 c464 4000 3b06 af49 acfa 0a0a [email protected];..I....
0x0010: ac0b 6905 3600 c174 56d7 7b60 b8a5 ebf4 ..i.6..tV.{`....
0x0020: 8018 4510 6c72 0000 0101 080a 25d3 ff62 ..E.lr......%..b
0x0030: 02ab 62f4 00
http://pastebin.com/hmDGLXx4
Also, we noticed below performances from our application. Still trying to find the root cause from the same:
1. Suddenly @ 20:58 , we noticed TCP stopped giving ACK to PUSH message that it received from server.
2. Between 20.58 to 21:15 , from our client application we tried sending data to server, Where send was successful and for those sever request .Application ended up in receiving timeout message.
(**No traces of DATA send found TCPDUMP**)
3. After 20 minutes, socket received ** err:110** in client socket. So, Client application tried to establish new connection with server.Which failed always
4. After performing system reboot we were able to connect with server.
5. when viewing the TCp packets we noticed **seq 1457045850:145704585** multple sequence number cases.What are all the possible reasons that it would occur
TCP PACKET SAMPLE WITH MULTIPLE SEQ NUMBER:
20:58:29.02455364, id 11796), length 64 172.11.105.5.49524 > 172.250.10.10.13824: Flags [.], cksum 0x602c (correct), seq 3097912308, ack 1457045851, win 2003, options [nop,nop,TS val 73309529 ecr 646047661,nop,nop,sack 1 {1457045850:1457045851}], length 0
0x0000: 4500 0040 049b 4000 4006 6a08 ac0b 6905 [email protected]@[email protected]
0x0010: acfa 0a0a c174 3600 b8a6 63f4 56d8 c15b .....t6...c.V..[
0x0020: b010 07d3 602c 0000 0101 080a 045e 9d59 ....`,.......^.Y
0x0030: 2681 e7ad 0101 050a 56d8 c15a 56d8 c15b &.......V..ZV..[
20:58:35.72482059, id 518286), length 53 172.250.10.10.13824 > 172.11.105.5.49524: Flags [P.], cksum 0x0221 (correct), seq 1457045850:1457045851, ack 3097912308, win 17680, options [nop,nop,TS val 646048331 ecr 73277952], length 1
0x0000: 4500 0035 ca74 4000 3b06 a939 acfa 0a0a [email protected];..9....
0x0010: ac0b 6905 3600 c174 56d8 c15a b8a6 63f4 ..i.6..tV..Z..c.
0x0020: 8018 4510 0221 0000 0101 080a 2681 ea4b ..E..!......&..K
0x0030: 045e 2200 00 .^"..
20:58:49.11454159, id 518296), length 53 172.250.10.10.13824 > 172.11.105.5.49524: Flags [P.], cksum 0xfce5 (correct), seq 1457045850:1457045851, ack 3097912308, win 17680, options [nop,nop,TS val 646049670 ecr 73277952], length 1
0x0000: 4500 0035 ca75 4000 3b06 a938 acfa 0a0a [email protected];..8....
0x0010: ac0b 6905 3600 c174 56d8 c15a b8a6 63f4 ..i.6..tV..Z..c.
0x0020: 8018 4510 fce5 0000 0101 080a 2681 ef86 ..E.........&...
0x0030: 045e 2200 00 .^"..
20:59:15.87796659, id 518306), length 53 172.250.10.10.13824 > 172.11.105.5.49524: Flags [P.], cksum 0xf271 (correct), seq 1457045850:1457045851, ack 3097912308, win 17680, options [nop,nop,TS val 646052346 ecr 73277952], length 1
0x0000: 4500 0035 ca76 4000 3b06 a937 acfa 0a0a [email protected];..7....
0x0010: ac0b 6905 3600 c174 56d8 c15a b8a6 63f4 ..i.6..tV..Z..c.
0x0020: 8018 4510 f271 0000 0101 080a 2681 f9fa ..E..q......&...
0x0030: 045e 2200 00
Confused Need some pointer in further understanding.
asked 13 Nov '14, 02:37
Ragav
6●2●2●5
accept rate: 0%
Can you post the actual capture file at http://www.cloudshark.org and give us the link? Reading ASCII dumps is no fun, especially when tracking TCP behavior.
@jaspper : The dump i have here is ascii only.i dont have pcap format i got and i have just now registered myself in cloudshark yet to rx login infos..