I am new to Wireshark and have created a packet capture between two servers, one within the LAN and the other in our DMZ. The program tells me it uses port 8004, which I have opened up on our firewall. From what I see in the catpure, it looks like it's using 8004 but routing it to another port? Any help reading this would be great ... Here is a portion of my capture.
192.168.1.23 192.168.3.10 TCP 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60177 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP 8004 > 60177 [RST, ACK] Seq=1 Ack=4006900096 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60177 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60177 [RST, ACK] Seq=1 Ack=660724035 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60177 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60177 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60177 [RST, ACK] Seq=1 Ack=587607840 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60178 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60178 [RST, ACK] Seq=1 Ack=1954781099 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60178 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60178 [RST, ACK] Seq=1 Ack=939193442 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60178 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60178 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60178 [RST, ACK] Seq=1 Ack=1625215588 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP 60179 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60179 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60179 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP 8004 > 60179 [RST, ACK] Seq=1 Ack=2224311254 Win=0 Len=0
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60179 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.1.23 192.168.3.10 TCP [TCP Port numbers reused] 60179 > 8004 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8 SACK_PERM=1
192.168.3.10 192.168.1.23 TCP 8004 > 60179 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
192.168.3.10 192.168.1.23 TCP [TCP ACKed lost segment] 8004 > 60179 [RST, ACK] Seq=1 Ack=45320348 Win=0 Len=0
asked 25 Jan '11, 07:39
HSD
6●1●1●2
accept rate: 0%
edited 14 May '13, 01:33
grahamb ♦
19.8k●3●30●206
I'm getting the same kind of error except; in my case a port which is closed is quickly (5 seconds later) being reused.
Example: TCP-PORT=545454 -> do a TCP session on port=545454 SYN/SYN-ACK/SYN/SYN-ACK/DATA/FIN-ACK/ACK/FIN-ACK/ACK wait 5 seconds -> do a TCP session on port=545454 SYN SEQNUM=0 -> ACK SEQNUM=0 ACKNUM=1507571667
This causes a RST to be triggered. There seems to be a link as if the second TCP session is being "fudged" with a bad ACKNUM.
You can't reuse a connection tuple (src_ip,src_port, dst_ip, dst_port, protocol) within 5 seconds. The server normally waits for 2xMSL seconds before tearing down a connection. If any new connection request comes on the same tuple, it will send out a RST packet (There are exceptions though, see TIME-WAIT assassination)