client send rst and resend syn to server,server sequence isn’t parsed correctly

asked 2019-03-28 07:57:06 +0000

JackXing gravatar image

updated 2019-03-28 08:15:07 +0000

frame 2 : client send syn to server frame 3: server reply with PSH,ACK frame 4: client send RST to server frame 16: client send SYN(same as fram 1) to server frame 18: server reply SYN,ACK to client, now wireshark can't parse server sequence correctly. I think it may be caused by frame3.

the sequence is 4270148056 on frame 18. it should be 0.

it tried to ignore frame 2,3,4. then the frame 16,18 and the flow was parsed correctly.

Frame 2: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
Ethernet II, Src: EquipTra_00:00:05 (00:01:00:00:00:05), Dst: EquipTra_00:00:04 (00:01:00:00:00:04)
Internet Protocol Version 4, Src: 223.71.63.228, Dst: 103.20.114.2
Transmission Control Protocol, Src Port: 18000, Dst Port: 18000, Seq: 0, Len: 0
    Source Port: 18000
    Destination Port: 18000
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    [Next sequence number: 0    (relative sequence number)]
    Acknowledgment number: 0
    1001 .... = Header Length: 36 bytes (9)
    Flags: 0x002 (SYN)
    Window size value: 63463
    [Calculated window size: 63463]
    Checksum: 0x0000 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (16 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted, Experimental
    [Timestamps]


Frame 3: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: EquipTra_00:00:04 (00:01:00:00:00:04), Dst: EquipTra_00:00:05 (00:01:00:00:00:05)
Internet Protocol Version 4, Src: 103.20.114.2, Dst: 223.71.63.228
Transmission Control Protocol, Src Port: 18000, Dst Port: 18000, Seq: 1, Ack: 46860495, Len: 0
    Source Port: 18000
    Destination Port: 18000
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 46860495    (relative ack number)
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x018 (PSH, ACK)
    Window size value: 46722
    [Calculated window size: 95686656]
    [Window size scaling factor: 2048]
    Checksum: 0x3a06 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    [SEQ/ACK analysis]
        [iRTT: 0.005699000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Warning/Sequence): ACKed segment that wasn't captured (common at capture start)]
                [ACKed segment that wasn't captured (common at capture start)]
                [Severity level: Warning]
                [Group: Sequence]
    [Timestamps]


Frame 4: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: EquipTra_00:00:05 (00:01:00:00:00:05), Dst: EquipTra_00:00:04 (00:01:00:00:00:04)
Internet Protocol Version 4, Src: 223.71.63.228, Dst: 103.20.114.2
Transmission Control Protocol, Src Port: 18000, Dst Port: 18000, Seq: 46860495, Len: 0
    Source Port: 18000
    Destination Port: 18000
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence number: 46860495    (relative sequence number)
    [Next sequence number: 46860495    (relative sequence number)]
    Acknowledgment number: 0
    0101 .... = Header Length: 20 bytes (5)
    Flags: 0x004 (RST)
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling ...
(more)
edit retag flag offensive close merge delete

Comments

Please provide the packet capture (as a dropbox/google drive/etc. link) so that we may assist with diagnosis.

Ross Jacobs gravatar imageRoss Jacobs ( 2019-03-29 21:34:55 +0000 )edit