need help on how to read this capture, Out of Order packets
HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.
For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet.
No. Time Source Destination Protocol Length Sequence number Next sequence number Acknowledgment number Info 79 37.477032 10.213.18.69 10.213.1.11 TCP 66 0 1 0 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1 80 37.477032 10.213.18.69 10.213.1.11 TCP 66 0 1 0 [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.
I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.
TIA, Paul
81 37.492030 10.213.1.11 10.213.18.69 TCP 66 0 1 1 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1 82 37.492030 10.213.1.11 10.213.18.69 TCP 66 0 1 1 [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1 83 37.495021 10.213.18.69 10.213.1.11 TCP 54 1 1 1 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0 84 37.495021 10.213.18.69 10.213.1.11 TCP 54 1 1 1 [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0 85 37.496028 10.213.18.69 10.213.1.11 TCP 1414 1 1361 1 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU] 86 37.496028 10.213.18.69 10.213.1.11 TCP 1414 1 1361 1 [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 87 37.496028 10.213.18.69 10.213.1.11 LDAP 786 1361 2093 1 bindRequest(7) "<root>" sasl 88 37.496028 10.213.18.69 10.213.1.11 TCP 786 1361 2093 1 [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732 89 37.511027 10.213.1.11 10.213 ...
Looks like the packet capture is making duplicates of every packet.
thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.