Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

edit

Post your capture file on a public sharing site, e.g. [Cloudshark](https://cloudshark.org), Google Drive, DropBox etc.

I tried uploading it on cloudshark. size was more so i zipped it but then after uploading it does not reccognize rar file. So now i have uploaded on google drive. Here is the link --> https://drive.google.com/file/d/0B3VnP3xmwL5pUEJiTG9XUWtVNk9IM1Z4SWtnblZRd3Fadktn/view?usp=sharing Please check.

Wireshark just decodes and presents in human-readable form what it has found in the data. So when looking e.g. at packet 65, you can see also in its hex dump that the TCP source port (two bytes at offset 0x24 of the frame) is 56817 (=0xddf1) and that the http Host header contains ":51006".

So none of the two values is made up by Wireshark. Therefore, you cannot see any connections from port 51006 of the LB as it really establishes them from 56817. Unfortunately, Wireshark can not tell you **why** this happens, only **that** this happens.

My query is why there is destination port mismatch in tcp and http header. It is observed that traffic is coming from source ip 10.5.220.26 and destination port is 44006 in tcp header. But there is a entry in http header showing Host:10.5.220.26:51006 which means 10.5.220.26 is talking to 10.5.207.199 at port 51006.

my system is making connecition to LB with system port 51006 and Lb port 56817. then on doing netstat why no connection is shown with 51006? is there something like port hidden policy becuse as i mentioned the connections in port 44006 increases after adding server under LB port 51006. but no connection are shown under 51006.

Your capture seems to come from between the load balancer and the actual server (no other traffic than between those two, except ARP and NBNS). So it is not possible to say anything else than that the LB has established the connection from 56817 towards 44006 at the actual server and probably forwarded the HTTP payload unmodified, resulting in mismatch between L2 and L7 information.

To find out more about what's actually going on, you have to capture simultaneously at the same place you did before and between the actual client and the LB's interface facing the client.

The trace is captured at actual server i.e. 10.5.207.199 which makes connection with LB. It seems LB is receiving http payload from its source at port 51006 and it sends this to actual server 10.5.207.199 at port 44006 with http payload unmodified (hence 51006 in http header).

That sounds quite logical, except that I'm now lost in what is your actual question :-) At which of the three machines do you run the netstat which "does not show connections at 51006"?

I run netstat in 10.5.207.199 actual server which receives traffic from LB. LB has two ports 44006 and 51006. sometimes we get our actual server added in 44006 and sometimes under 51006 and sometimes under both. so when my actual server is added under 51006 i do not see connections under 51006 in actual server 10.5.207.199. I think this happens because 51006 is LB port on which LB is receiving traffic from its source which it then sends to actual server 10.5.207.199 with http payload unmodified. i see connections only under 44006 in actual server 10.5.207.199 which get increases once 10.5.207.199 is also added under LB port 51006. my acttual server port is 44006 only.