I have a mail server with firewall enabled, I see a lot of stopped actions and the source IP is my router external IP. I setup wireshark on the box, triggered a session with ip.addr == myexternalRouterIP with a lot of
Frame 445295: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{2AEC5B1B-C9CD-45A5-B7CA-2CA1416BCAB6}, id 0
Ethernet II, Src: DrayTek_66:17:48 (00:1d:aa:66:17:48), Dst: Microsof_01:1d:3b (00:15:5d:01:1d:3b)
Internet Protocol Version 4, Src: myExternalIP, Dst: 192.168.1.34
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 52
Identification: 0xc159 (49497)
010. .... = Flags: 0x2, Don't fragment
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 127
Protocol: TCP (6)
Header Checksum: 0xffc9 [validation disabled]
[Header checksum status: Unverified]
Source Address: myExternalIP
Destination Address: 192.168.1.34
Transmission Control Protocol, Src Port: 58122, Dst Port: 25, Seq: 0, Len: 0
Source Port: 58122
Destination Port: 25
[Stream index: 5592]
[Conversation completeness: Incomplete, SYN_SENT (1)]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 2438265587
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x002 (SYN)
Window: 64240
[Calculated window size: 64240]
Checksum: 0xca12 [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
TCP Option - Maximum segment size: 1460 bytes
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 8 (multiply by 256)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
[Timestamps]
[Time since first frame in this TCP stream: 9.011925000 seconds]
[Time since previous frame in this TCP stream: 6.010005000 seconds]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[Expert Info (Note/Sequence): A new tcp session is started with the same ports as an earlier session in this trace]
[A new tcp session is started with the same ports as an earlier session in this trace]
[Severity level: Note]
[Group: Sequence]
[Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
[This frame is a (suspected) retransmission]
[Severity level: Note]
[Group: Sequence]
[The RTO for this segment was: 9.011925000 seconds]
[RTO based on delta from frame: 445073]
So how can I understand why router is sending every second this SYN messages? Thanks in advance
