need help on how to read this capture, Out of Order packets

asked 2021-11-19 20:29:58 +0000

da_P
1 ●1 ●1 ●1

updated 2021-11-19 21:55:19 +0000

11115 ●11 ●317 ●165 https://www.igt.com/

HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.

For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet.

No. Time    Source  Destination Protocol    Length  Sequence number Next sequence number    Acknowledgment number   Info

79  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

80  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.

I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.

TIA, Paul

81  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

82  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

83  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

84  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

85  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU]

86  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360

87  37.496028   10.213.18.69    10.213.1.11 LDAP    786 1361    2093    1   bindRequest(7) "<root>" sasl 

88  37.496028   10.213.18.69    10.213.1.11 TCP 786 1361    2093    1   [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732

89  37.511027   10.213.1.11 10.213 ...

(more)

edit retag flag offensive close merge delete

Comments

Looks like the packet capture is making duplicates of every packet.

Chuckc ( 2021-11-20 00:31:53 +0000 )edit

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P ( 2021-11-22 15:44:40 +0000 )edit

add a comment

0

answered 2021-11-22 15:45:42 +0000

da_P
1 ●1 ●1 ●1

I was unaware and capturing traffic in/out in multiple interfaces that pass the same traffic and it was creating dups.

edit flag offensive delete link

add a comment

0

answered 2021-11-20 06:43:43 +0000

Jaap

13742 ●710 ●115

Like @Chuckc said, there's duplicates of every packet. Which is not uncommon when you capture on a monitor port, where both ingress and egress traffic of a switch fabric is captured, for instance. This is where editcap -d comes to shine, allowing you to remove the duplicates

edit flag offensive delete link

Comments

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P ( 2021-11-22 15:44:45 +0000 )edit

add a comment

need help on how to read this capture, Out of Order packets

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

need help on how to read this capture, Out of Order packets edit

Comments

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

need help on how to read this capture, Out of Order packets