ACK and RST packets sent after successfully terminating TCP
connection
Jeremy Chadwick
freebsd at jdc.parodius.com
Mon Feb 15 21:42:20 UTC 2010
On Mon, Feb 15, 2010 at 10:07:32PM +0100, n j wrote:
> Hello Jeremy,
>
> > Is it possible for you to upload these captures somewhere on the web?
> > tcpdump -p -i {iface} -s 0 -n -w {somefile} should be sufficient.
>
> You can find the two pcaps at http://drop.io/llwiy8o. IP addresses and
> the data have been anonymized, everything else has been left intact.
> There was no ICMP traffic between the hosts. Thanks for looking into
> it!
succ.pcap --
<skipping obvious stuff>
Packet #9: client --> server: client requests TCP connection close (FIN+ACK)
Packet #10: server --> client: server sends ACK
<approximately 0.6 seconds passes>
Packet #11: server --> client: server announces TCP window size of 0,
indicating TCP receive buffers are exhausted and that the
client should wait before doing anything more
Packet #12: server --> client: identical re-sent ACK of packet #10
fail.pcap --
<skipping obvious stuff>
Packet #3: client --> server: initial handshake; TCP ACK
Packet #4: server --> client: server sends TCP RST. Software on
server likely closed the socket/fd
<approximately 0.75 seconds passes>
Packet #5: server --> client: server announces TCP window size of 0,
indicating TCP receive buffers are exhausted and that the
client should wait before doing anything more
Packet #6: server --> client: identical re-sent RST of packet #4
Packet #7: client --> server: confirms reset (RST+ACK)
Whatever this client/server protocol is, it isn't normal/standard. It's
not something like, for example, HTTP, SSH, or FTP; It's a custom
protocol and one I haven't seen before.
Do you see the above awkward behaviour (zero-sized TCP window packets
followed by a retransmission of a prior packet) when using standardised
protocols or software, such as Apache (HTTP), OpenSSH (SSH), or FTP?
If not, then the client/server software is probably to blame. It may be
operating on a raw socket level, populating IP and/or TCP portions of
the packet itself rather than relying on socket(2) entirely.
If it uses standard kernel socket(2) functionality with PF_INET and
SOCK_STREAM, then I'd ask if the source is available publicly to be
analysed to determine if this behaviour is intentional or not.
Is there VPN and/or NAT involved between the client and server
(re: NAT: particularly around the server)?
Finally, is it possible to get "ifconfig -a" and "netstat -m" output
from the server?
--
| Jeremy Chadwick jdc at parodius.com |
| Parodius Networking http://www.parodius.com/ |
| UNIX Systems Administrator Mountain View, CA, USA |
| Making life hard for others since 1977. PGP: 4BD6C0CB |
More information about the freebsd-stable
mailing list