Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2021-11-19 20:29:58 +0000

da_P gravatar image

need help on how to read this capture, Out of Order packets

HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.

For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet.

No. Time Source Destination Protocol Length Sequence number Next sequence number Acknowledgment number Info

79 37.477032 10.213.18.69 10.213.1.11 TCP 66 0 1 0 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

80 37.477032 10.213.18.69 10.213.1.11 TCP 66 0 1 0 [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.

I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.

TIA, Paul

81 37.492030 10.213.1.11 10.213.18.69 TCP 66 0 1 1 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

82 37.492030 10.213.1.11 10.213.18.69 TCP 66 0 1 1 [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

83 37.495021 10.213.18.69 10.213.1.11 TCP 54 1 1 1 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

84 37.495021 10.213.18.69 10.213.1.11 TCP 54 1 1 1 [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

85 37.496028 10.213.18.69 10.213.1.11 TCP 1414 1 1361 1 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU]

86 37.496028 10.213.18.69 10.213.1.11 TCP 1414 1 1361 1 [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360

87 37.496028 10.213.18.69 10.213.1.11 LDAP 786 1361 2093 1 bindRequest(7) "<root>" sasl

88 37.496028 10.213.18.69 10.213.1.11 TCP 786 1361 2093 1 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732

89 37.511027 10.213.1.11 10.213.18.69 TCP 54 1 1 2093 389 → 52715 [ACK] Seq=1 Ack=2093 Win=131840 Len=0

90 37.511027 10.213.1.11 10.213.18.69 TCP 54 1 1 2093 [TCP Dup ACK 89#1] 389 → 52715 [ACK] Seq=1 Ack=2093 Win=131840 Len=0

91 37.512018 10.213.1.11 10.213.18.69 LDAP 265 1 212 2093 bindResponse(7) success

92 37.512018 10.213.1.11 10.213.18.69 TCP 265 1 212 2093 [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=1 Ack=2093 Win=131840 Len=211

93 37.514017 10.213.18.69 10.213.1.11 LDAP 230 2093 2269 212 SASL GSS-API Integrity: searchRequest(8) "<root>" baseObject

94 37.514017 10.213.18.69 10.213.1.11 TCP 230 2093 2269 212 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2093 Ack=212 Win=131584 Len=176

95 37.529016 10.213.1.11 10.213.18.69 LDAP 204 212 362 2269 SASL GSS-API Integrity: searchResEntry(8) "<root>" searchResDone(8) success [2 results]

96 37.529016 10.213.1.11 10.213.18.69 TCP 204 212 362 2269 [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=212 Ack=2269 Win=131584 Len=150

97 37.537026 10.213.18.69 10.213.1.11 LDAP 205 2269 2420 362 SASL GSS-API Integrity: searchRequest(9) "CN=CUSB,CN=Sites,CN=Configuration,DC=cusb,DC=com" baseObject

98 37.537026 10.213.18.69 10.213.1.11 TCP 205 2269 2420 362 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2269 Ack=362 Win=131328 Len=151

99 37.552025 10.213.1.11 10.213.18.69 LDAP 179 362 487 2420 SASL GSS-API Integrity: searchResEntry(9) "CN=CUSB,CN=Sites,CN=Configuration,DC=cusb,DC=com" searchResDone(9) success [2 results]

100 37.552025 10.213.1.11 10.213.18.69 TCP 179 362 487 2420 [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=362 Ack=2420 Win=131584 Len=125

121 37.607015 10.213.18.69 10.213.1.11 TCP 54 2420 2420 487 52715 → 389 [ACK] Seq=2420 Ack=487 Win=131328 Len=0

122 37.607015 10.213.18.69 10.213.1.11 TCP 54 2420 2420 487 [TCP Dup ACK 121#1] 52715 → 389 [ACK] Seq=2420 Ack=487 Win=131328 Len=0

127 38.647021 10.213.18.69 10.213.1.11 LDAP 97 2420 2463 487 SASL GSS-API Integrity: unbindRequest(11)

128 38.647021 10.213.18.69 10.213.1.11 TCP 97 2420 2463 487 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2420 Ack=487 Win=131328 Len=43

129 38.648013 10.213.18.69 10.213.1.11 TCP 54 2463 2464 487 52715 → 389 [FIN, ACK] Seq=2463 Ack=487 Win=131328 Len=0

130 38.648013 10.213.18.69 10.213.1.11 TCP 54 2463 2464 487 [TCP Out-Of-Order] 52715 → 389 [FIN, ACK] Seq=2463 Ack=487 Win=131328 Len=0

131 38.662020 10.213.1.11 10.213.18.69 TCP 54 487 487 700524530 389 → 52715 [RST] Seq=487 Win=0 Len=0

132 38.662020 10.213.1.11 10.213.18.69 TCP 54 487 487 700524530 389 → 52715 [RST] Seq=487 Win=0 Len=0

133 38.662020 10.213.1.11 10.213.18.69 TCP 54 487 487 2463 389 → 52715 [RST, ACK] Seq=487 Ack=2463 Win=0 Len=0

134 38.662020 10.213.1.11 10.213.18.69 TCP 54 487 487 2463 389 → 52715 [RST, ACK] Seq=487 Ack=2463 Win=0 Len=0

click to hide/show revision 2
None

updated 2021-11-19 21:55:19 +0000

cmaynard gravatar image

need help on how to read this capture, Out of Order packets

HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.

For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet. 

No. Time    Source  Destination Protocol    Length  Sequence number Next sequence number    Acknowledgment number   Info
 
Info

79  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
 
SACK_PERM=1

80  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
SACK_PERM=1

I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.

I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.

TIA, Paul 

81  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1
 
SACK_PERM=1

82  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1
 
SACK_PERM=1

83  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0
 
Len=0

84  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0
 
Len=0

85  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU]
 
PDU]

86  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360
 
Len=1360

87  37.496028   10.213.18.69    10.213.1.11 LDAP    786 1361    2093    1   bindRequest(7) "<root>" sasl 
 
 88  37.496028   10.213.18.69    10.213.1.11 TCP 786 1361    2093    1   [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732
 
Len=732

89  37.511027   10.213.1.11 10.213.18.69    TCP 54  1   1   2093    389 → 52715 [ACK] Seq=1 Ack=2093 Win=131840 Len=0
 
Len=0

90  37.511027   10.213.1.11 10.213.18.69    TCP 54  1   1   2093    [TCP Dup ACK 89#1] 389 → 52715 [ACK] Seq=1 Ack=2093 Win=131840 Len=0
 
Len=0

91  37.512018   10.213.1.11 10.213.18.69    LDAP    265 1   212 2093    bindResponse(7) success 
 
 92  37.512018   10.213.1.11 10.213.18.69    TCP 265 1   212 2093    [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=1 Ack=2093 Win=131840 Len=211
 
Len=211

93  37.514017   10.213.18.69    10.213.1.11 LDAP    230 2093    2269    212 SASL GSS-API Integrity: searchRequest(8) "<root>" baseObject 
 
 94  37.514017   10.213.18.69    10.213.1.11 TCP 230 2093    2269    212 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2093 Ack=212 Win=131584 Len=176
 
Len=176

95  37.529016   10.213.1.11 10.213.18.69    LDAP    204 212 362 2269    SASL GSS-API Integrity: searchResEntry(8) "<root>" searchResDone(8) success  [2 results]
 
results]

96  37.529016   10.213.1.11 10.213.18.69    TCP 204 212 362 2269    [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=212 Ack=2269 Win=131584 Len=150
 
Len=150

97  37.537026   10.213.18.69    10.213.1.11 LDAP    205 2269    2420    362 SASL GSS-API Integrity: searchRequest(9) "CN=CUSB,CN=Sites,CN=Configuration,DC=cusb,DC=com" baseObject 
 
 98  37.537026   10.213.18.69    10.213.1.11 TCP 205 2269    2420    362 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2269 Ack=362 Win=131328 Len=151
 
Len=151

99  37.552025   10.213.1.11 10.213.18.69    LDAP    179 362 487 2420    SASL GSS-API Integrity: searchResEntry(9) "CN=CUSB,CN=Sites,CN=Configuration,DC=cusb,DC=com" searchResDone(9) success  [2 results]
 
results]

100 37.552025   10.213.1.11 10.213.18.69    TCP 179 362 487 2420    [TCP Retransmission] 389 → 52715 [PSH, ACK] Seq=362 Ack=2420 Win=131584 Len=125
 
Len=125

121 37.607015   10.213.18.69    10.213.1.11 TCP 54  2420    2420    487 52715 → 389 [ACK] Seq=2420 Ack=487 Win=131328 Len=0
 
Len=0

122 37.607015   10.213.18.69    10.213.1.11 TCP 54  2420    2420    487 [TCP Dup ACK 121#1] 52715 → 389 [ACK] Seq=2420 Ack=487 Win=131328 Len=0
 
Len=0

127 38.647021   10.213.18.69    10.213.1.11 LDAP    97  2420    2463    487 SASL GSS-API Integrity: unbindRequest(11) 
 
 128 38.647021   10.213.18.69    10.213.1.11 TCP 97  2420    2463    487 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=2420 Ack=487 Win=131328 Len=43
 
Len=43

129 38.648013   10.213.18.69    10.213.1.11 TCP 54  2463    2464    487 52715 → 389 [FIN, ACK] Seq=2463 Ack=487 Win=131328 Len=0
 
Len=0

130 38.648013   10.213.18.69    10.213.1.11 TCP 54  2463    2464    487 [TCP Out-Of-Order] 52715 → 389 [FIN, ACK] Seq=2463 Ack=487 Win=131328 Len=0
 
Len=0

131 38.662020   10.213.1.11 10.213.18.69    TCP 54  487 487 700524530   389 → 52715 [RST] Seq=487 Win=0 Len=0
 
Len=0

132 38.662020   10.213.1.11 10.213.18.69    TCP 54  487 487 700524530   389 → 52715 [RST] Seq=487 Win=0 Len=0
 
Len=0

133 38.662020   10.213.1.11 10.213.18.69    TCP 54  487 487 2463    389 → 52715 [RST, ACK] Seq=487 Ack=2463 Win=0 Len=0
 
Len=0

134 38.662020   10.213.1.11 10.213.18.69    TCP 54  487 487 2463    389 → 52715 [RST, ACK] Seq=487 Ack=2463 Win=0 Len=0
Len=0