This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP-flag SYN

0

After taking a capture and going back to my wireshark class notes - I know TCP header size should be between 20 and 32 bytes. Within my environment i am seeing a variation of TCP SYN flag header length with 40 bytes. we are starting to block it but wanted to get more info on this> If somebody can share somelight. salt text

alt text

asked 23 Dec '15, 04:24

Dgo%20Vrgs's gravatar image

Dgo Vrgs
1223
accept rate: 0%

edited 23 Dec '15, 07:01

You're mistaken, TCP header maximum size is not 32 bytes. Valid TCP header sizes are between 20 and 60 bytes, so 40 bytes is okay. What options do you see in the header? And why do you block headers with 40 bytes?

(23 Dec '15, 05:28) Jasper ♦♦

Jasper, thank you for the response - im still trying to figure out as there is one specific customer that complains when we see not sure if it's the packet length total of 40 bytes or the segment header length of 40 bytes. Gonna do some digging and get an example posted. In either case a packet with length 40 should still be good even if the segment is only 40 bytes.

The actual segment length is 40Bytes - I personally dont see anything wrong with it.

(23 Dec '15, 06:26) Dgo Vrgs

To add to Jasper reply, here is a possible reason why you are seeing 4NOP in a row or more. A known thread that I've seen that potentially a Cisco device modifying the TCP options in the past. https://supportforums.cisco.com/discussion/11035321/cisco-asa-831-rtmp-content-fails-play#3218614

(02 Jan '16, 11:32) hunghoong

One Answer:

3

That screenshot lists TCP options that are most certainly bogus. NOPs in TCP options are used for 32 bit alignment, so you never need more than 3 in a row; often you only see one. There's two possibilities here:

  1. an attacker is trying to fool around with your systems, generating weird TCP option sets. In which case it would make sense to block them if you can. Keep in mind that the length of 40 bytes is not a good filter indicator as there may be valid TCP headers with that size.
  2. you have a device in your network that removes valid TCP options and replaces them with NOPs. Some Cisco devices have been known to do this in the past, which is why you see the "Expert Info 4 NOP in a row" warning.

If I were you I'd try to capture the same packets directly at the WAN interface of the router to your internet uplink (the interface closest to the internet which is still under your control), and check if the packets look strange there, too. If so, you've probably got an attacker, but you should still talk to your ISP about it, maybe they know what's happening. If not (and you see correct options instead of the NOPs) you have a device in your network that is misbehaving.

answered 23 Dec '15, 09:59

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Jasper, thank you so much for the info. i bit late but this makes sense

(01 Jan '16, 10:56) Dgo Vrgs

@Dgo Vrgs

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(01 Jan '16, 11:48) grahamb ♦