This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Retransmissions to port 445

0

Hello guys,

I have these SYN packets going from the IP 192.168.10.64, a quarantine server running on VMWare, and to 172.16.128.52 on port 445, a machine connected with VPN on a different location.

Every packet goes from this IP to the other.

The capture has been made from the firewall.

So this is how it occurs:

  1. On first message the source MAC address is the quarantine server's one, and the destination MAC is my firewall. (TTL=128)
  2. Second message is marked as TCP Out-Of-Order; the source MAC address is the firewall's and the destination is the Cisco router. (TTL=127)
  3. Third message is a TCP Retransmission, the source MAC is the router's and the destination is the firewall. (TTL=126)
  4. Fourth message is another TCP Retransmission, source MAC is the firewall, destination is the router. (TTL=125)
  5. From this moment, third and fourth message repeat themselves until TTL decreases to 28. And then it just stops.

Not even one second later, a new SYN packet from the quarantine's MAC address goes to the firewall's MAC address, with a new source port. Still the same source & destination IP.

Do you have an idea of what could be the reason of all these retransmissions ? Is this a normal behavior ?

Thank you very much for your time.

Edit: here is the pcap file, i used the filter "ip.addr == 192.168.10.64 && ip.addr == 172.16.128.52"

asked 12 Feb '16, 00:52

ITDeo's gravatar image

ITDeo
6113
accept rate: 0%

edited 12 Feb '16, 02:49

You'll likely get a much more informed response if you post a capture somewhere publicly available, rather than your textual interpretation of it.

(12 Feb '16, 02:21) grahamb ♦

You're right, I edited & added the file

(12 Feb '16, 02:51) ITDeo

One Answer:

0

You have a routing loop there.

The 1st packet goes from the sender to the firewall box.

The 2nd packet goes from the firewall box to the Cisco router.

The 3rd packet goes from the Cisco router back to the firewall.

Then this loop repeats until the TTL fulfils its purpose and stops that because it reaches 0.

So please check why the firewall uses the Cisco as its route for packets to 172.16.128.52, and why the Cisco uses the firewall as its route for these packets, and fix the routing at that box at which it is wrong.

answered 12 Feb '16, 05:56

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 12 Feb '16, 05:58