Ask Your Question
0

TCP Port numbers reused

asked 2022-02-24 16:38:17 +0000

BG-Wireshark gravatar image

I see packets coming from an IP lets just say 192.168.1.47 that authenticate to a webserver with no problem. I see all the correct traffic. I however have another IP 192.168.1.30 that worked in the AM of said day. In the afternoon the same connection is trying to be made I see in Wireshark [TCP Retransmission] [TCP Port numbers reused] and the client fails to get logged into the site. The browser says "Can't reach this page". All routes and traffic are working as expected. I see the "TCP Port numbers reused" at every failure. How can I look into what is causing the reused ports? I asked the users how they login and out of the site and they said to me that they usually login and let the session time out. However that morning when I started the initial packet captures I had the user 1 login and try it. It was successful. I had him logout because were not going to test till later in the day. That way I got a full capture of connect and disconnect. Later that afternoon I was testing and his session continued to work. While sitting there testing with this user 1 I say those messages go by with [TCP Port numbers reused]. I asked user 1 if someone else was there and using the site. He said yes and I asked if it failed to login in and I got a yes. I asked the user 1 if user 2 was using CATS in the morning and let it timeout. He said that user 2 was using the site in the morning and let it timeout. Can this cause this type of issue when their sessions timeout instead of getting closed manually and correctly? What controls the ports that are being reused. The ports are going to a https site (443) which will never change. The origination ports are the ports that are being reused. The site destination ip ends in 66. Can anyone validate or put holes in my theory of them not logging out correctly?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-08-17 04:28:39 +0000

adama924 gravatar image

updated 2022-08-17 07:07:28 +0000

HI, I know it's a discussion a while ago, but I do have a question similar to this. In one of the two attached pics, you can see the packet #229 has the "TCP Port numbers reused" message. However in the other pic, the packet #209 doesn't have this message. Both were sending the SYN,ACK message. Could anyone of you tell me what's the difference between the two? Is there something I should concern? What I can see the difference is the different in length, one is 66 bytes and the other is 60 bytes.

https://drive.google.com/file/d/1EvZx...

https://drive.google.com/file/d/1yTAJ...

Thank you.

edit flag offensive delete link more

Comments

Sound like a simple query (answered by our friend SYN-bit), or are you investigating something thats not working perhaps ..?

ajaznawaz gravatar imageajaznawaz ( 2022-08-17 08:12:09 +0000 )edit

WIthout the full capture file it is hard to determine what is causing the [TCP port numbers reused] warnings. On a sidenote, in recent versions of Wireshark a retransmission of a SYN packet is marked as [TCP port numbers reused], which is a bug IMHO, but I need to investigate why this behavior has changed.

SYN-bit gravatar imageSYN-bit ( 2022-08-18 09:37:58 +0000 )edit

@ajaznawaz I was troubleshooting another issue (couldn't access port 443 and 4433) and saw the difference between the two SYN, ACK captures. One with "TCP Port numbers reused" message one without. Either way, my computer couldn't receive the SYN,ACK responses, resulting in time-out error.

adama924 gravatar imageadama924 ( 2022-08-18 17:58:05 +0000 )edit

@SYN-bit@ajaznawaz Yes I used the latest version of Wireshark to capture the packets. So this might be a bug. Based on the captures the client and server are doing TCP handshaking. (On a related note) I never received the SYN,ACK responses (result in failed connection). I was requesting access to the 443 and 4433 ports of the server (which is a firewall). Since the server received the requests and responded, the two ports are blocked by this server or any inter-mediate firewalls. Then, why I never received the SYN,ACK response?

adama924 gravatar imageadama924 ( 2022-08-18 18:05:50 +0000 )edit
0

answered 2022-02-25 10:10:22 +0000

SYN-bit gravatar image

The wireshark note "[TCP Port numbers reused]" means that in the packet capture file, there is a new connection for a 5-tuple (ip-src,ip-dst,protocol,srcport,dstport) that was seen before in the packet capture. This is normal when doing a long term capture, as there are only 65536 possible source ports, so in due time these ports are being reused.

Depending on the setup, the source IP address could end up being the same for every user (NAT and/or Loadbalancing are examples). Then if there are a lot of TCP sessions, the time between two distinct sessions using the same source port can become very small. On the server side, when a session is closed, it will be kept in TIME_WAIT state for a while to allow for late packets to be handled. This time varies per system, but used to be like 2 minutes.

So all-in-all "[TCP Port numbers reused]" notifications can be benign, but depending on the infrastructure it might indicate a problem. If you do not see a SYN/ACK response to the SYN that was marked with "[TCP Port numbers reused]", then that is something to look into, as there might be sessions in TIME_WAIT state on the server preventing the TCP session to establish. In that case, some OSses have a setting to allow new sessions to establish even when the same 5-tuple was used earlier and that session is still in TIME_WAIT.

Hope this helps, if not, please look at https://blog.packet-foo.com/2016/11/t... on how to provide a capture file for us here to help you better in this case.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

3 followers

Stats

Asked: 2022-02-24 16:38:17 +0000

Seen: 70,498 times

Last updated: Aug 17 '22