Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2018-11-08 18:27:44 +0000

aspyct gravatar image

SYN followed by PSH ACK with incorrect ACK sequence number

I'm investigating network issues at our office. I'm not on the network team and have no details on the network topology, but here's a trace of what happens on my machine.

https://www.dropbox.com/s/mbhnd4e34ftrgzd/aspyct.org-extracted.pcapng?dl=0

You're looking at a curl HTTP request made from my workstation to my own website. The website was working fine at the time the capture was made. Just before that, two other HTTP requests went through fine, but this one eventually timed out. I had a similar behavior on other websites.

I'm seeing two things wrong here:

  1. the initial SYN gets a PSH/ACK response
  2. the ACK sequence number on the first response is random

From my understanding, the first response from the server should be a SYN/ACK with a sequence number of 1. I've never seen a SYN, PSH/ACK, ACK sequence (although, admittedly, my TCP knowledge is a bit rusty).

So here come the questions:

  1. is there a case where a PSH/ACK would be a legit response to a SYN, and what about that ACK sequence number?
  2. if it is indeed an error, do you know of any network equipment that would be likely to cause that error?

Thanks for your time :)

SYN followed by PSH ACK with incorrect ACK sequence number

I'm investigating network issues at our office. I'm not on the network team and have no details on the network topology, but here's a trace of what happens on my machine.

https://www.dropbox.com/s/mbhnd4e34ftrgzd/aspyct.org-extracted.pcapng?dl=0

You're looking at a curl HTTP request made from my workstation to my own website. The website was working fine at the time the capture was made. Just before that, two other HTTP requests went through fine, but this one eventually timed out. I had a similar behavior on other websites.

Note that wireshark is indicating "TCP ACKed unseen segment", but I'm pretty confident I didn't miss packets: the 2 http requests made just before that were complete, and there wasn't much network traffic except for some broadcast.

I'm seeing two things wrong here:

  1. the initial SYN gets a PSH/ACK response
  2. the ACK sequence number on the first response is random

From my understanding, the first response from the server should be a SYN/ACK with a sequence number of 1. I've never seen a SYN, PSH/ACK, ACK sequence (although, admittedly, my TCP knowledge is a bit rusty).

So here come the questions:

  1. is there a case where a PSH/ACK would be a legit response to a SYN, and what about that ACK sequence number?
  2. if it is indeed an error, do you know of any network equipment that would be likely to cause that error?

Thanks for your time :)

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2