ACK and RST packets sent after successfully terminating TCP connection

Jeremy Chadwick freebsd at jdc.parodius.com
Mon Feb 15 10:11:51 UTC 2010


On Mon, Feb 15, 2010 at 10:30:31AM +0100, n j wrote:
> Hi all,
> 
> I'm reposting this from the freebsd-questions hoping for some answers.
> I feel there is something wrong here, but would really appreciate a
> second opinion before opening a bug report. The problematic part is
> marked with [what is this?].
> 
> - in case of successful connection:
> 
> [begin handshake]
> 14:52:57.866040 IP client.example.net.6524 > server.example.net.9002:
> S 813851098:813851098(0) win 8192 <mss 1380,nop,wscale
> 2,nop,nop,sackOK>
> 14:52:57.866057 IP server.example.net.9002 > client.example.net.6524:
> S 3888621507:3888621507(0) ack 813851099 win 65535 <mss
> 1380,nop,wscale 3,sackOK,eol>
> 14:52:57.867143 IP client.example.net.6524 > server.example.net.9002:
> . ack 3888621508 win 16560
> [end handshake & begin data]
> 14:52:57.868333 IP client.example.net.6524 > server.example.net.9002:
> P 813851099:813852180(1081) ack 3888621508 win 16560
> 14:52:57.967858 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852180 win 8144
> 14:53:35.533165 IP server.example.net.9002 > client.example.net.6524:
> P 3888621508:3888621542(34) ack 813852180 win 8144
> [end data & begin teardown]
> 14:53:35.564542 IP server.example.net.9002 > client.example.net.6524:
> FP 3888621542:3888621675(133) ack 813852180 win 8280
> 14:53:35.566228 IP client.example.net.6524 > server.example.net.9002:
> . ack 3888621676 win 16518
> 14:53:35.566289 IP client.example.net.6524 > server.example.net.9002:
> F 813852180:813852180(0) ack 3888621676 win 16518
> 14:53:35.566318 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852181 win 8279
> [end teardown]
> [what is this?]
> 14:53:36.172081 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852180 win 0
> 14:53:36.172101 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852181 win 8279
> 
> - in case of unsuccessful connection:
> 
> [begin handshake]
> 14:53:00.411337 IP client.example.net.6547 > server.example.net.9002:
> S 1055031875:1055031875(0) win 8192 <mss 1380,nop,wscale
> 2,nop,nop,sackOK>
> 14:53:00.411354 IP server.example.net.9002 > client.example.net.6547:
> S 2849043653:2849043653(0) ack 1055031876 win 65535 <mss
> 1380,nop,wscale 3,sackOK,eol>
> 14:53:00.412242 IP client.example.net.6547 > server.example.net.9002:
> . ack 2849043654 win 16560
> [end handshake & reset connection]
> 14:53:00.412251 IP server.example.net.9002 > client.example.net.6547:
> R 2849043654:2849043654(0) win 0
> [what is this?]
> 14:53:01.168076 IP server.example.net.9002 > client.example.net.6547:
> . ack 1055031876 win 0
> 14:53:01.168100 IP server.example.net.9002 > client.example.net.6547:
> R 2849043654:2849043654(0) win 0
> 14:53:01.168393 IP client.example.net.6547 > server.example.net.9002:
> R 1055031876:1055031876(0) ack 2849043653 win 0
> 
> The server is running 7.2 GENERIC.

Is it possible for you to upload these captures somewhere on the web?
tcpdump -p -i {iface} -s 0 -n -w {somefile} should be sufficient.

Thanks.

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |



More information about the freebsd-stable mailing list