This frame is a (suspected) retransmission]

asked 2023-02-06 10:43:33 +0000

eliassal gravatar image

I have a mail server with firewall enabled, I see a lot of stopped actions and the source IP is my router external IP. I setup wireshark on the box, triggered a session with ip.addr == myexternalRouterIP with a lot of

Frame 445295: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{2AEC5B1B-C9CD-45A5-B7CA-2CA1416BCAB6}, id 0
Ethernet II, Src: DrayTek_66:17:48 (00:1d:aa:66:17:48), Dst: Microsof_01:1d:3b (00:15:5d:01:1d:3b)
Internet Protocol Version 4, Src: myExternalIP, Dst: 192.168.1.34
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 52
    Identification: 0xc159 (49497)
    010. .... = Flags: 0x2, Don't fragment
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 127
    Protocol: TCP (6)
    Header Checksum: 0xffc9 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: myExternalIP
    Destination Address: 192.168.1.34
Transmission Control Protocol, Src Port: 58122, Dst Port: 25, Seq: 0, Len: 0
    Source Port: 58122
    Destination Port: 25
    [Stream index: 5592]
    [Conversation completeness: Incomplete, SYN_SENT (1)]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 2438265587
    [Next Sequence Number: 1    (relative sequence number)]
    Acknowledgment Number: 0
    Acknowledgment number (raw): 0
    1000 .... = Header Length: 32 bytes (8)
    Flags: 0x002 (SYN)
    Window: 64240
    [Calculated window size: 64240]
    Checksum: 0xca12 [unverified]
    [Checksum Status: Unverified]
    Urgent Pointer: 0
    Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
        TCP Option - Maximum segment size: 1460 bytes
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 8 (multiply by 256)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
    [Timestamps]
        [Time since first frame in this TCP stream: 9.011925000 seconds]
        [Time since previous frame in this TCP stream: 6.010005000 seconds]
    [SEQ/ACK analysis]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): A new tcp session is started with the same ports as an earlier session in this trace]
                [A new tcp session is started with the same ports as an earlier session in this trace]
                [Severity level: Note]
                [Group: Sequence]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [The RTO for this segment was: 9.011925000 seconds]
            [RTO based on delta from frame: 445073]

So how can I understand why router is sending every second this SYN messages? Thanks in advance

edit retag flag offensive close merge delete

Comments

When a host sends a TCP segment with SYN flag set, it usually means that this host wants to establish a TCP connection with the destination IP. You your case, it does not look like the server is responding because the firewall doesn't even allow the TCP segment to reach the mail server. If this process repeats, it could be because the software on the source host (your router) is programmed to retry over a period of time. Now why it does this is trickier to find. You need to check settings on the router to try and understand why it wants to connect to your mail server. Maybe the router needs to send logs or an alert by email. When you disable a setting, run the capture again and see if the issue is present. One last thing, it may be possible another host is using your router ...(more)

Spooky gravatar imageSpooky ( 2023-02-08 03:49:21 +0000 )edit

Thanks, yes, my router was configured to send alerts whioch I disabled but still getting same records in wireshark. There is no other component that sends to the server. Yes, I have several internal (in my lan ) that uses the mail servere (some used the public name so they go across the router) but everything works fine and send/receive operations works fine.

eliassal gravatar imageeliassal ( 2023-02-08 10:09:11 +0000 )edit

If the source MAC address ("DrayTek_66:17:48") is the actual MAC of the router interface and seeing the IPv4 TTL being 127, this increases the likelihood of the router itself being the source. There are, of course, plenty of other explanations but I like Occam's razor. You can always try to disconnect the other hosts to confirm if it is coming from the router or not. You can also try to capture from the WAN port of the router using one of the methods suggested in the Wiki. You capture from different LAN ports too if several are used. Good luck.

Spooky gravatar imageSpooky ( 2023-02-09 02:19:14 +0000 )edit

Thanks, OK, I will do and come back to you, but tell me what is "Occam's razor"

eliassal gravatar imageeliassal ( 2023-02-09 13:06:12 +0000 )edit

Simply put Occam's razor is a problem-solving principle that recommends looking for the simplest or most obvious explanation first.

Spooky gravatar imageSpooky ( 2023-02-10 03:51:02 +0000 )edit