Ask Your Question
0

Capture output explanation

asked 2023-02-06 17:40:20 +0000

tuccero gravatar image

Hello, I am facing a problem between 2 machines and i installed Wireshark version 3.2.0 to capture the network traffic. While i am able to ping the target machine from the source machine, when i am trying to connect to port 22 i cannot connect. I started a capture while trying to connect to target machine using both telnet and winscp application. It is a short capture but i do not know what is the problem. These are some of the data that i receive in the capture:

Internet Protocol Version 4, Src: source, Dst: target
Transmission Control Protocol, Src Port: 51877, Dst Port: 22, Seq: 0, Len: 0
    Source Port: 51877
    Destination Port: 22
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    Sequence number (raw): 2742951259
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 0
Acknowledgment number (raw): 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x0c2 (SYN, ECN, CWR)
    000. .... .... = Reserved: Not set
    ...0 .... .... = Nonce: Not set
    .... 1... .... = Congestion Window Reduced (CWR): Set
    .... .1.. .... = ECN-Echo: Set
    .... ..0. .... = Urgent: Not set
    .... ...0 .... = Acknowledgment: Not set
    .... .... 0... = Push: Not set
    .... .... .0.. = Reset: Not set
    .... .... ..1. = Syn: Set
    .... .... ...0 = Fin: Not set
    [TCP Flags: ····CE····S·]
Window size value: 65535
[Calculated window size: 65535]
Checksum: 0x8352 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
[SEQ/ACK analysis]
    [TCP Analysis Flags]
        [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
        [The RTO for this segment was: 3.000277000 seconds]
        [RTO based on delta from frame: 4]
[Timestamps]

Please advise.

edit retag flag offensive close merge delete

Comments

Hello,

Any other ideas regarding this problem?

tuccero gravatar imagetuccero ( 2023-02-13 06:38:12 +0000 )edit

Capture this event on both the source and destination machine simultaneously and provide the files through some file sharing service. Also describe the source and designation machine in some detail. Then people can analyse rather than guess what's going on.

Jaap gravatar imageJaap ( 2023-02-13 07:24:05 +0000 )edit

Thank you for your reply. I captured the output from both sides. You can find the information of the machines below:

Source: Windows Server 2016 Datacenter which is used as a jump server. Users are connected to this server to access certain services/applications or simply to connect to other servers. Capture sftp2.pcapng was taken on this server.

Target: RedHat Enterprise Linux 8.7 which is used as an sftp server (openssh). Capture dbjs2.pcapng was taken on this server.

Test Description: I tried to telnet port 22 from source server to target server and then to ping target server as well. As you will see from the captures, when i attempt to telnet port 22 no capture is taken on target server. The only capture that is shown on target server is when i tried to ping.

You can use the following url to download files from wetransfer: link text

tuccero gravatar imagetuccero ( 2023-02-13 08:47:25 +0000 )edit

So from the IP addresses in the capture files it tells me there is another box in between these two servers. The fact that the MAC address of this box is from Fortinet suggests to me a firewall. A firewall typically blocks port 22 access, therefore you get no SYN/ACK back.

Jaap gravatar imageJaap ( 2023-02-13 12:02:31 +0000 )edit

Thank you. I will contact the firewall administrator to further investigate the issue.

tuccero gravatar imagetuccero ( 2023-02-13 13:08:48 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-02-07 09:47:05 +0000

hugo.vanderkooij gravatar image

If you send multiple SYN packets and the server does not respond with SYN-ACK then I would start with checking if the server is listening on port 22 and if there is a host based firewall active that drops the packets.

edit flag offensive delete link more

Comments

Hello, Yes i can verify that the server is listening on port 22 and there is no firewall active on server. This is the strange thing for me. I can connect from multiple other sources to the target machine (including my workstation) and the only issue that i am facing is from the specific source machine.

tuccero gravatar imagetuccero ( 2023-02-07 10:01:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-02-06 17:40:20 +0000

Seen: 916 times

Last updated: Feb 13 '23