Ask Your Question
0

need help on how to read this capture, Out of Order packets

asked 2021-11-19 20:29:58 +0000

da_P gravatar image

updated 2021-11-19 21:55:19 +0000

cmaynard gravatar image

HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.

For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet.

No. Time    Source  Destination Protocol    Length  Sequence number Next sequence number    Acknowledgment number   Info

79  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

80  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.

I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.

TIA, Paul

81  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

82  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

83  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

84  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

85  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU]

86  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360

87  37.496028   10.213.18.69    10.213.1.11 LDAP    786 1361    2093    1   bindRequest(7) "<root>" sasl 

88  37.496028   10.213.18.69    10.213.1.11 TCP 786 1361    2093    1   [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732

89  37.511027   10.213.1.11 10.213 ...
(more)
edit retag flag offensive close merge delete

Comments

Looks like the packet capture is making duplicates of every packet.

Chuckc gravatar imageChuckc ( 2021-11-20 00:31:53 +0000 )edit

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P gravatar imageda_P ( 2021-11-22 15:44:40 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2021-11-22 15:45:42 +0000

da_P gravatar image

I was unaware and capturing traffic in/out in multiple interfaces that pass the same traffic and it was creating dups.

edit flag offensive delete link more
0

answered 2021-11-20 06:43:43 +0000

Jaap gravatar image

Like @Chuckc said, there's duplicates of every packet. Which is not uncommon when you capture on a monitor port, where both ingress and egress traffic of a switch fabric is captured, for instance. This is where editcap -d comes to shine, allowing you to remove the duplicates

edit flag offensive delete link more

Comments

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P gravatar imageda_P ( 2021-11-22 15:44:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-11-19 20:24:06 +0000

Seen: 1,338 times

Last updated: Nov 22 '21