firewall modifies packet?

asked 2018-10-03 21:58:47 +0000

TheWizard gravatar image

updated 2018-10-03 21:59:03 +0000

I'm looking at a trace where it seems the firewall alters some packets but other stays the same this is to a specfic port (in regards to ttl and round trip). The capture is taken on the client.

What I've seen is the following The SYN from the client have a mss of 1460 and ttl of 128. Server has 1380 and ttl 115. After a few conversations to the same host I can spot that now the server are sending a syn/ack with MSS 1460 same as the client (same as before). Also the ttl have now changed from 118 to 255. Also the round trip is 60msec on most conversation but those that got the ttl of 255 got a roundrip of about 10msec. However later in the conversation there are a delay from the server of about 150msec all of suden going from 10msec.

I'm guessing there are some firewall that does inspection and modifies the packets and somehow answer packets on behalf for the server? (buffering?)

edit retag flag offensive close merge delete


Sounds like some sort of link optimisation technology in the path between server and client.

Jaap gravatar imageJaap ( 2018-10-04 05:16:44 +0000 )edit