Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The wireshark note "[TCP Port numbers reused]" means that in the packet capture file, there is a new connection for a 5-tuple (ip-src,ip-dst,protocol,srcport,dstport) that was seen before in the packet capture. This is normal when doing a long term capture, as there are only 65536 possible source ports, so in due time these ports are being reused.

Depending on the setup, the source IP address could end up being the same for every user (NAT and/or Loadbalancing are examples). Then if there are a lot of TCP sessions, the time between two distinct sessions using the same source port can become very small. On the server side, when a session is closed, it will be kept in TIME_WAIT state for a while to allow for late packets to be handled. This time varies per system, but used to be like 2 minutes.

So all-in-all "[TCP Port numbers reused]" notifications can be benign, but depending on the infrastructure it might indicate a problem. If you do not see a SYN/ACK response to the SYN that was marked with "[TCP Port numbers reused]", then that is something to look into, as there might be sessions in TIME_WAIT state on the server preventing the TCP session to establish. In that case, some OSses have a setting to allow new sessions to establish even when the same 5-tuple was used earlier and that session is still in TIME_WAIT.

Hope this helps, if not, please look at https://blog.packet-foo.com/2016/11/the-wireshark-qa-trace-file-sharing-tutorial/ on how to provide a capture file for us here to help you better in this case.