Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

asked 2017-10-31 07:06:11 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

10.5.220.26 is a LOAD Balancer. And as per usual practice we get our server 10.5.207.199 added under LB ip 10.5.220.26 under port 51006 and 44006. It is observed that traffic is coming from source ip 10.5.220.26 and destination port is 44006 in tcp header. But there is a entry in http header showing Host:10.5.220.26:51006 which means 10.5.220.26 is talking to 10.5.207.199 at port 51006. So why the source port in tcp packet is displayed as 44006. Also in my server when i do netstat and try to see connections with port 51006 i cannot see any connections. For source ip 10.5.220.26 and destination port 44006 in tcp header there is entry Host:10.5.220.26:44006 in http header which is fine as it means destination port is 44006 and same is displayed in http header. When my server 10.5.207.199 is added under port 44006 the connections are say X in netstat and when i get it added under 51006 also the number of connnection in netstat under 44006 gets increased to X Y. But no connection is shown under port 51006. Why? Tcpdump rar file link https://drive.google.com/file/d/0B3Vn...

edit retag flag offensive close merge delete

Comments

Post your capture file on a public sharing site, e.g. [Cloudshark](https://cloudshark.org), Google Drive, DropBox etc.

grahamb gravatar imagegrahamb ( 2017-10-31 08:39:33 +0000 )edit

I tried uploading it on cloudshark. size was more so i zipped it but then after uploading it does not reccognize rar file. So now i have uploaded on google drive. Here is the link --> https://drive.google.com/file/d/0B3VnP3xmwL5pUEJiTG9XUWtVNk9IM1Z4SWtnblZRd3Fadktn/view?usp=sharing Please check.

harpreet gravatar imageharpreet ( 2017-10-31 13:04:30 +0000 )edit

Wireshark just decodes and presents in human-readable form what it has found in the data. So when looking e.g. at packet 65, you can see also in its hex dump that the TCP source port (two bytes at offset 0x24 of the frame) is 56817 (=0xddf1) and that the http Host header contains ":51006".

sindy gravatar imagesindy ( 2017-10-31 13:19:45 +0000 )edit

So none of the two values is made up by Wireshark. Therefore, you cannot see any connections from port 51006 of the LB as it really establishes them from 56817. Unfortunately, Wireshark can not tell you **why** this happens, only **that** this happens.

sindy gravatar imagesindy ( 2017-10-31 13:22:46 +0000 )edit

My query is why there is destination port mismatch in tcp and http header. It is observed that traffic is coming from source ip 10.5.220.26 and destination port is 44006 in tcp header. But there is a entry in http header showing Host:10.5.220.26:51006 which means 10.5.220.26 is talking to 10.5.207.199 at port 51006.

harpreet gravatar imageharpreet ( 2017-10-31 13:27:22 +0000 )edit