This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Seeing TCP http [RST, ACK]

1

I am analyzing throughput on a network and am running an HTTP GET file of 400MB from one of our servers. The TCP connection appears to get set up correctly, but part way through, I am seeing a RST,ACK followed by 'Continuation or non-HTTP traffic' entries. These continuation packets just end after a bunch of them with no ACKS from the other end and no apparent termination of the TCP connection following the continuation packets. Am I correct in assuming that the TCP connection ends with the RST, ACK? If so, why does the other end keep sending the continuation packets? The client I'm using is the 10.x.x.x address, the server is the 69.x.x.x address. Any help is appreciated. Thanks.

Number  Time    Source  Destination Protocol    Length  Info
21  37:25.6 10.161.62.101   69.147.163.122  HTTP    225 GET /400MB.zip HTTP/1.0 
22  37:25.7 69.147.163.122  10.161.62.101   TCP 54  http > rmpp [ACK] Seq=1 Ack=172 Win=7168 Len=0
23  37:25.7 69.147.163.122  10.161.62.101   HTTP    1444    HTTP/1.0 200 OK  (application/zip)[Packet size limited during capture]
24  37:25.7 69.147.163.122  10.161.62.101   HTTP    147 Continuation or non-HTTP traffic
25  37:25.7 10.161.62.101   69.147.163.122  TCP 54  rmpp > http [ACK] Seq=172 Ack=1484 Win=128480 Len=0
26  37:25.7 69.147.163.122  10.161.62.101   HTTP    1444    Continuation or non-HTTP traffic[Packet size limited during capture]
:
:
39504   37:50.3 10.161.62.101   69.147.163.122  TCP 54  rmpp > http [RST, ACK] Seq=173 Ack=33001474 Win=0 Len=0
39505   37:50.3 69.147.163.122  10.161.62.101   HTTP    1444    Continuation or non-HTTP traffic[Packet size limited during capture]
39506   37:50.3 69.147.163.122  10.161.62.101   HTTP    1444    Continuation or non-HTTP traffic[Packet size limited during capture]
:
:
39584   37:50.4 69.147.163.122  10.161.62.101   HTTP    1444    Continuation or non-HTTP traffic[Packet size limited during capture]
39585   37:52.3 10.161.62.101   69.147.163.1    ICMP    74  Echo (ping) request  id=0x0300, seq=8192/32, ttl=128

asked 01 Nov '12, 06:27

integratech's gravatar image

integratech
16113
accept rate: 0%

edited 01 Nov '12, 06:39

Guessing from the filename you are probably trying to download a 400 MB file.

Frame 39504 shows your RESET coming from your client. The ACK-no indicates that approx. 33 MByte were successfully transfered.

The interesting question is: What happened before the RST?

Can you publish the packets before 39504, preferably showing SEQ- and ACK-numbers?

(01 Nov '12, 06:41) packethunter

packethunter...I can't paste here and have it format correctly. Anyway, at a point around lines 20000 I see a slew of about 150 DUP ACKs, some TCP Window Update packets, and a TCP Fast Retransmission. Then the sequence of download begins again with packets sent and an ACK. Then out of the blue the RST happens, and then there are just Continuation packets for a while, then they just stop.

(01 Nov '12, 07:52) integratech

How about putting the trace up at www.cloudshark.org? Please only do that if it does not contain sensitive data, because anyone can look at it.

(01 Nov '12, 08:45) Jasper ♦♦