This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

FIN ACK sent backwards in time

0

I've a VMware machine with 2 servers. They have a heartbeat going. But then one server sends FIN, ACK and ends the connection. But it comes backwards in time ? What could be the reason for that ?

#2704841 02:44:51.228772 172.23.125.14 172.23.125.13 TCP 59 snapd > 50284 [PSH, ACK] Seq=19141 Ack=18484 Win=5840 Len=5
:
:
#2704843 02:44:51.231122 172.23.125.14 172.23.125.13 TCP 54 snapd > 50284 [ACK] Seq=19146 Ack=18489 Win=5840 Len=0

#2704914 02:44:45.369705 172.23.125.14 172.23.125.13 TCP 54 snapd > 50284 [FIN, ACK] Seq=19146 Ack=18489 Win=5840 Len=0

asked 13 May ‘14, 05:09

lmdroke's gravatar image

lmdroke
11113
accept rate: 0%

edited 17 May ‘14, 14:14

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Can you explain what ‘backwards in time’ means giving the timestamps of the packets in your post? The FIN occurs 138ms after the last ACK of the server…

(13 May ‘14, 14:12) mrEEde2

I don’t think it’s 138 msec. I think it’s about 6 second searlier. 2.44.45 compared to 2.44.51.

These 2 servers are running on the same virtual machine. I am not sure how these logs are taken. I just got the results

(14 May ‘14, 01:02) lmdroke

Now that you say it … ;-) clearly back in time!

(14 May ‘14, 09:40) mrEEde2

where (vm host or virtual machine) and how did you capture the data (wireshark, tcpdump, dumpcap, single interface, multiple interfaces)?

(14 May ‘14, 14:38) Kurt Knochner ♦

One of the machines 172.23.125.14 is running linux and TCPDUMP was used. The other machines 172.23.125.13, is a Windows server and here wireshark is used

(15 May ‘14, 03:35) lmdroke

So you had 2 traces and merged them into one? Or do you see the same phenomenon in two seperate/different traces, no matter where the trace was taken?

(15 May ‘14, 08:13) mrEEde2

The problem is that the connection between the 2 servers is broken. I am rather new at this and I wonder why the way of tracing matters ? I mean, if I don’t trace, the connection still gets broken.

(16 May ‘14, 06:19) lmdroke

It matters a lot. Was the trace snippet you displayed above the result of a merged trace from the two different machines? ..or do you see the same results in the TCPDUMP trace and the Wireshark trace?

(17 May ‘14, 12:30) Rooster_50

I wonder why the way of tracing matters ?

It matters to the “backwards in time” question. If the ACK was captured on one machine and the FIN+ACK was captured on another machine, perhaps the two machines clocks are out of sync, in which case you can’t meaningfully compare time stamps on packets from two different machines, and therefore it means that you can’t say that anything went backwards in time.

(17 May ‘14, 14:13) Guy Harris ♦♦

Note also that, even if the ACK and the FIN+ACK were captured on the same machine, if that machine’s clock were reset between the arrival or transmission time of the ACK and the FIN+ACK, it will make it look as if the FIN+ACK were sent before the ACK when, in fact, it was sent after the ACK.

(17 May ‘14, 14:18) Guy Harris ♦♦

Hi Guy,

How could I see if a clock is reset ? thanks

(19 May ‘14, 00:02) lmdroke

About all you can to in order to determine whether the clock was reset in the past is to check whatever system logs the machine has, if it logs time changes, to see whether the clock was set backwards.

(19 May ‘14, 00:07) Guy Harris ♦♦

Another think to look for would be if any NTP packets existed during that time in the trace. I would also try to find out from the person who took the capture(s) had any capture filters set. If they excluded traffic that might have been present, then you might not ever know.

(21 May ‘14, 16:52) Rooster_50
showing 5 of 13 show 8 more comments