This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP out of sequence on HTTP POST

0

Hi, I am having an intermittent issue where sometimes an HTTP POST to my proxy server results in a 405, Invalid Method response. After capturing both a successful and unsuccessful POST I have noted the following.

Both captures start with a normal 3-way handshake. After this they diverge.

The successful one is as follows:

  1. Sequence number 1, Segment Length 1380, Next Sequence Number 1381 Flags ACK - This packet contains the HTTP POST request method
  2. Sequence Number 1381, Segment Length 134, Next Sequence Number 1515, Flags PSH,ACK
  3. Sequence Number 1515, Segment Length 1380, Next Sequence Number 2895, Flags ACK
  4. Sequence Number 2895, Segment Length 357, Next Sequence Number 3252, Flags PSH, ACK

The stream which results in the 405 has these same three frames with the sequence order reversed. i.e:

  1. Sequence number 1, Segment Length 1380, Next Sequence Number 1381, Flags ACK
  2. Sequence Number 1381, Segment Length 357, Next Sequence Number 1738, Flags PSH,ACK
  3. Sequence number 1738, Segment Length 1380, Next Sequence Number 3118 Flags ACK - This packet contains the HTTP POST
  4. Sequence number 3118, Segment Length 134, Next Sequence Number 3252, Flash PSH, ACK

So it would seem to me that the TCP segments are being passed down out of order. Am I interpreting this correctly? It seems suspicious that there are two segments of exactly the same size (1380) with an ACK flag which are followed by the a second segment with a PSH flag. Each pair is correct, but the order of the pairs is wrong.

Why would this be happening?

asked 27 Oct '15, 21:42

Jeremy%20Hagan's gravatar image

Jeremy Hagan
6112
accept rate: 0%

Could You provide us a trace on a public accessible place?

(27 Oct '15, 23:00) Christian_R