Ask Your Question
0

TCP Spurious Retransmission

asked 2018-02-06 13:57:02 +0000

anonymous user

Anonymous

updated 2018-02-07 15:18:54 +0000

Jaap gravatar image

Could someone explain to me what's going on in this tcp dump ?

5   13:02:12.985389 5.5.5.5 1.2.3.4 TCP 74  57464 → 12345 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2535707980 TSecr=0 WS=128
6   13:02:12.985411 1.2.3.4 5.5.5.5 TCP 74  12345 → 57464 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1516508357 TSecr=2535707980 WS=1024
7   13:02:13.183362 5.5.5.5 1.2.3.4 TCP 66  57464 → 12345 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535708030 TSecr=1516508357
8   13:02:13.183806 5.5.5.5 1.2.3.4 TCP 66  57464 → 12345 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535708030 TSecr=1516508357
9   13:02:13.682592 5.5.5.5 1.2.3.4 TCP 66  [TCP Spurious Retransmission] 57464 → 12345 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535708155 TSecr=1516508357
10  13:02:13.982144 1.2.3.4 5.5.5.5 TCP 74  [TCP Spurious Retransmission] 12345 → 57464 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=1516508607 TSecr=2535708155 WS=1024
11  13:02:14.180635 5.5.5.5 1.2.3.4 TCP 66  [TCP Dup ACK 7#1] 57464 → 12345 [ACK] Seq=2 Ack=1 Win=29312 Len=0 TSval=2535708279 TSecr=1516508357
14  13:02:14.285845 5.5.5.5 1.2.3.4 TCP 66  [TCP Spurious Retransmission] 57464 → 12345 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535708305 TSecr=1516508357
21  13:02:15.487487 5.5.5.5 1.2.3.4 TCP 66  [TCP Spurious Retransmission] 57464 → 12345 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535708606 TSecr=1516508357
25  13:02:17.894558 5.5.5.5 1.2.3.4 TCP 66  [TCP Spurious Retransmission] 57464 → 12345 [FIN, ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=2535709208 TSecr=1516508357
26  13:02:17.894580 1.2.3.4 5.5.5.5 TCP 54  12345 → 57464 [RST] Seq=1 Win=0 Len=0
edit retag flag offensive close merge delete

Comments

Can you provide the packet capture? See https://blog.packet-foo.com/2016/11/t... if you need to sanitize the packets first.

Christian_R gravatar imageChristian_R ( 2018-02-07 19:44:48 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2018-02-10 18:51:19 +0000

mrEEde gravatar image

The tcpdump shows the client closing the session immediately after the 3-way handshake. It did not even try to send or receive any data.

The server ignores the FIN packet and retransmits its SYNACK, so obviously has not seen or discarded the ACK completing the 3-way handshake. Even the following DUPACK seems to be ignored and the Linux server closes its socket resulting in a RSt being returned in the client's attempt to FIN the connection. . Looks like the client is not a real client but a monitor and the server is not happy accepting this 'misbehaving' client.

12.985 LxClient→ LxServr [SYN]      Seq=0       Tsv=2535707980 TSe=0 WS=128
12.985 LxServr → LxClient[SYN, ACK] Seq=0 Ack=1 Tsv=1516508357 TSe=2535707980
13.183 LxClient→ LxServr [ACK]      Seq=1 Ack=1 Tsv=2535708030 TSe=1516508357
13.183 LxClient→ LxServr [FIN, ACK] Seq=1 Ack=1 Tsv=2535708030 TSe=1516508357
13.682!LxClient→ LxServr [FIN, ACK] Seq=1 Ack=1 Tsv=2535708155 TSe=1516508357
13.982!LxServr → LxClient[SYN, ACK] Seq=0 Ack=1 Tsv=1516508607 TSe=2535708155
14.180!LxClient→ LxServr [ACK]      Seq=2 Ack=1 Tsv=2535708279 TSe=1516508357
14.285!LxClient→ LxServr [FIN, ACK] Seq=1 Ack=1 Tsv=2535708305 TSe=1516508357
15.487!LxClient→ LxServr [FIN, ACK] Seq=1 Ack=1 Tsv=2535708606 TSe=1516508357
17.894!LxClient→ LxServr [FIN, ACK] Seq=1 Ack=1 Tsv=2535709208 TSe=1516508357
17.894!LxServr → LxClient[RST]      Seq=1

Regards Matthias

.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-02-06 13:57:02 +0000

Seen: 11,157 times

Last updated: Feb 10 '18