Ask Your Question

Revision history [back]

Need help in interpreting the wireshark log

Here's the scenario, we have a client connected to our network via IPSEC. In their network, they have printers which are intended to communciate to a print server hosted within our private network. IPSEC tunnels from both ends are up. Both the internet circuits from both ends to which these IPSEC are passing thru are also clean with no packet drops whatsoever. Besides, from both sites perspective, there are other applications passing thru this tunnel and dont have any issues. The main problem is that, our business partner have these printers that needs to communciate to a print server hosted within our private network. Whenever they are using these printers to do batch (continuous) printing, the printers print label-by-label instead which makes the print processing slow.

The business end setup their network in a way in which, the IP addresses of these printers (example 172.26.229.202) are natted to 172.20.104.96/27. And then, this 172.20.104.96/27 is again natted to 172.20.104.26/26 before it goes out of their IPSEC.

At our end, to build the tunnel, we would only allow this 172.20.104.26/26 subnet. We had joint troubleshooting and so far could not find any issue when it comes to the IPSEC connectivity. And so we did a wireshark capture at the switch where the printers are connected via SPAN.

On the packet capture, we are able to see a lot of TCP out of order, TCP Retransmissions, and couple of TCP Dup ACKs between the source 172.20.104.126 (business internal natted IP) and destination 172.26.229.202 (physical IP of the printer).

Although there are a lot of this out of order, retransmissions, and dup Acks, there seems to be no RST and so we wondering if this messages are just normal behavior due to the natting being done at our business end. However, if anyone has different interpretation and can point out what is really causing the printers at our business partner end to do label-by-label printing instead of batch/continuous printing, would really be much appreciated.

Below are samples of TCP Out of Order, TCP Retransmission and TCP Dup ACK messages. Sorry for the long read :) I feel i have the need to explain the whole setup for better feedback.

Many Thanks, Van +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Out-of-order +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 850: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}) Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8} Encapsulation type: Ethernet (1) Arrival Time: Feb 1, 2019 09:08:26.540981000 China Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1548983306.540981000 seconds [Time delta from previous captured frame: 0.000022000 seconds] [Time delta from previous displayed frame: 0.000596000 seconds] [Time since reference or first frame: 30.552559000 seconds] Frame Number: 850 Frame Length: 90 bytes (720 bits) Capture Length: 90 bytes (720 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update] Ethernet II, Src: SoyalTec_00:82:e3 (00:13:57:00:82:e3), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb) Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb) Address: Intermec_57:8c:bb (00:10:40:57:8c:bb) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: SoyalTec_00:82:e3 (00:13:57:00:82:e3) Address: SoyalTec_00:82:e3 (00:13:57:00:82:e3) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 76 Identification: 0x3621 (13857) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 62 Protocol: TCP (6) Header checksum: 0x6013 [validation disabled] [Header checksum status: Unverified] Source: 172.20.104.126 Destination: 172.26.229.202 Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0 Source Port: 30012 Destination Port: 9100 [Stream index: 1] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) [Next sequence number: 0 (relative sequence number)] Acknowledgment number: 0 1110 .... = Header Length: 56 bytes (14) Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100] [Connection establish request (SYN): server port 9100] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set [TCP Flags: ··········S·] Window size value: 5840 [Calculated window size: 5840] Checksum: 0x11a2 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL) TCP Option - Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 TCP Option - SACK permitted Kind: SACK Permitted (4) Length: 2 TCP Option - Timestamps: TSval 2775837880, TSecr 0 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2775837880 Timestamp echo reply: 0 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Window scale: 2 (multiply by 4) Kind: Window Scale (3) Length: 3 Shift count: 2 [Multiplier: 4] TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8 Kind: Riverbed Probe (76) Length: 10 0000 .... = Type: 0 .... 0001 = Version: 1 Reserved: 0x01 CSH IP: 172.16.40.8 Application Version: 5 TCP Option - Riverbed Probe: Probe Query Info Kind: Riverbed Probe (76) Length: 4 0000 110. = Type: 6 .... ...0 = Version: 2 Probe Flags: 0x05 .... .1.. = Not CFE: Set .... ...1 = Last Notify: Set TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - End of Option List (EOL) Kind: End of Option List (0) [SEQ/ACK analysis] [iRTT: 0.019506000 seconds] [TCP Analysis Flags] [Expert Info (Warning/Sequence): This frame is a (suspected) out-of-order segment] [This frame is a (suspected) out-of-order segment] [Severity level: Warning] [Group: Sequence] [Timestamps] [Time since first frame in this TCP stream: 0.000596000 seconds] [Time since previous frame in this TCP stream: 0.000596000 seconds] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Retransmission +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 917: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}) Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8} Encapsulation type: Ethernet (1) Arrival Time: Feb 1, 2019 09:08:26.543396000 China Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1548983306.543396000 seconds [Time delta from previous captured frame: 0.000022000 seconds] [Time delta from previous displayed frame: 0.000022000 seconds] [Time since reference or first frame: 30.554974000 seconds] Frame Number: 917 Frame Length: 90 bytes (720 bits) Capture Length: 90 bytes (720 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update] Ethernet II, Src: SoyalTec_00:82:e1 (00:13:57:00:82:e1), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb) Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb) Address: Intermec_57:8c:bb (00:10:40:57:8c:bb) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: SoyalTec_00:82:e1 (00:13:57:00:82:e1) Address: SoyalTec_00:82:e1 (00:13:57:00:82:e1) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 76 Identification: 0x3621 (13857) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 60 Protocol: TCP (6) Header checksum: 0x6213 [validation disabled] [Header checksum status: Unverified] Source: 172.20.104.126 Destination: 172.26.229.202 Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0 Source Port: 30012 Destination Port: 9100 [Stream index: 1] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) [Next sequence number: 0 (relative sequence number)] Acknowledgment number: 0 1110 .... = Header Length: 56 bytes (14) Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100] [Connection establish request (SYN): server port 9100] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set [TCP Flags: ··········S·] Window size value: 5840 [Calculated window size: 5840] Checksum: 0x11a2 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL) TCP Option - Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 TCP Option - SACK permitted Kind: SACK Permitted (4) Length: 2 TCP Option - Timestamps: TSval 2775837880, TSecr 0 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2775837880 Timestamp echo reply: 0 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Window scale: 2 (multiply by 4) Kind: Window Scale (3) Length: 3 Shift count: 2 [Multiplier: 4] TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8 Kind: Riverbed Probe (76) Length: 10 0000 .... = Type: 0 .... 0001 = Version: 1 Reserved: 0x01 CSH IP: 172.16.40.8 Application Version: 5 TCP Option - Riverbed Probe: Probe Query Info Kind: Riverbed Probe (76) Length: 4 0000 110. = Type: 6 .... ...0 = Version: 2 Probe Flags: 0x05 .... .1.. = Not CFE: Set .... ...1 = Last Notify: Set TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - End of Option List (EOL) Kind: End of Option List (0) [SEQ/ACK analysis] [iRTT: 0.019506000 seconds] [TCP Analysis Flags] [Expert Info (Note/Sequence): This frame is a (suspected) retransmission] [This frame is a (suspected) retransmission] [Severity level: Note] [Group: Sequence] [The RTO for this segment was: 0.003011000 seconds] [RTO based on delta from frame: 843] ------------------------> One thing we noticed about all the Retransmission packets, they refer to frame 843 [Timestamps] [Time since first frame in this TCP stream: 0.003011000 seconds] [Time since previous frame in this TCP stream: 0.000022000 seconds] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 843 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 843: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0 Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}) Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8} Encapsulation type: Ethernet (1) Arrival Time: Feb 1, 2019 09:08:26.540385000 China Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1548983306.540385000 seconds [Time delta from previous captured frame: 0.015030000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 30.551963000 seconds] Frame Number: 843 Frame Length: 90 bytes (720 bits) Capture Length: 90 bytes (720 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: TCP SYN/FIN] [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1] Ethernet II, Src: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb) Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb) Address: Intermec_57:8c:bb (00:10:40:57:8c:bb) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45) Address: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 76 Identification: 0x3621 (13857) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 63 Protocol: TCP (6) Header checksum: 0x5f13 [validation disabled] [Header checksum status: Unverified] Source: 172.20.104.126 Destination: 172.26.229.202 Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0 Source Port: 30012 Destination Port: 9100 [Stream index: 1] [TCP Segment Len: 0] Sequence number: 0 (relative sequence number) [Next sequence number: 0 (relative sequence number)] Acknowledgment number: 0 1110 .... = Header Length: 56 bytes (14) Flags: 0x002 (SYN) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...0 .... = Acknowledgment: Not set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..1. = Syn: Set [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100] [Connection establish request (SYN): server port 9100] [Severity level: Chat] [Group: Sequence] .... .... ...0 = Fin: Not set [TCP Flags: ··········S·] Window size value: 5840 [Calculated window size: 5840] Checksum: 0x11a2 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL) TCP Option - Maximum segment size: 1460 bytes Kind: Maximum Segment Size (2) Length: 4 MSS Value: 1460 TCP Option - SACK permitted Kind: SACK Permitted (4) Length: 2 TCP Option - Timestamps: TSval 2775837880, TSecr 0 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2775837880 Timestamp echo reply: 0 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Window scale: 2 (multiply by 4) Kind: Window Scale (3) Length: 3 Shift count: 2 [Multiplier: 4] TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8 Kind: Riverbed Probe (76) Length: 10 0000 .... = Type: 0 .... 0001 = Version: 1 Reserved: 0x01 CSH IP: 172.16.40.8 Application Version: 5 TCP Option - Riverbed Probe: Probe Query Info Kind: Riverbed Probe (76) Length: 4 0000 110. = Type: 6 .... ...0 = Version: 2 Probe Flags: 0x05 .... .1.. = Not CFE: Set .... ...1 = Last Notify: Set TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - End of Option List (EOL) Kind: End of Option List (0) [Timestamps] [Time since first frame in this TCP stream: 0.000000000 seconds] [Time since previous frame in this TCP stream: 0.000000000 seconds] ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Dup Ack ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 1482: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0 Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}) Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8} Encapsulation type: Ethernet (1) Arrival Time: Feb 1, 2019 09:08:26.582652000 China Standard Time [Time shift for this packet: 0.000000000 seconds] Epoch Time: 1548983306.582652000 seconds [Time delta from previous captured frame: 0.000023000 seconds] [Time delta from previous displayed frame: 0.000023000 seconds] [Time since reference or first frame: 30.594230000 seconds] Frame Number: 1482 Frame Length: 78 bytes (624 bits) Capture Length: 78 bytes (624 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update] Ethernet II, Src: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb) Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb) Address: Intermec_57:8c:bb (00:10:40:57:8c:bb) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45) Address: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 64 Identification: 0x3623 (13859) Flags: 0x4000, Don't fragment 0... .... .... .... = Reserved bit: Not set .1.. .... .... .... = Don't fragment: Set ..0. .... .... .... = More fragments: Not set ...0 0000 0000 0000 = Fragment offset: 0 Time to live: 63 Protocol: TCP (6) Header checksum: 0x5f1d [validation disabled] [Header checksum status: Unverified] Source: 172.20.104.126 Destination: 172.26.229.202 Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 1, Ack: 1, Len: 0 Source Port: 30012 Destination Port: 9100 [Stream index: 1] [TCP Segment Len: 0] Sequence number: 1 (relative sequence number) [Next sequence number: 1 (relative sequence number)] Acknowledgment number: 1 (relative ack number) 1011 .... = Header Length: 44 bytes (11) Flags: 0x010 (ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 0... = Push: Not set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······A····] Window size value: 1460 [Calculated window size: 5840] [Window size scaling factor: 4] Checksum: 0xd51a [unverified] [Checksum Status: Unverified] Urgent pointer: 0 Options: (24 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps, No-Operation (NOP), No-Operation (NOP), SACK TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - Timestamps: TSval 2775837922, TSecr 16458870 Kind: Time Stamp Option (8) Length: 10 Timestamp value: 2775837922 Timestamp echo reply: 16458870 TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - No-Operation (NOP) Kind: No-Operation (1) TCP Option - SACK 0-1 [SEQ/ACK analysis] [iRTT: 0.019506000 seconds] [TCP Analysis Flags] [This is a TCP duplicate ack] [Duplicate ACK #: 1] [Duplicate to the ACK in frame: 1481] [Expert Info (Note/Sequence): Duplicate ACK (#1)] [Duplicate ACK (#1)] [Severity level: Note] [Group: Sequence] [Timestamps] [Time since first frame in this TCP stream: 0.042267000 seconds] [Time since previous frame in this TCP stream: 0.000023000 seconds]

Need help in interpreting the wireshark log

Here's the scenario, we have a client connected to our network via IPSEC. In their network, they have printers which are intended to communciate to a print server hosted within our private network. IPSEC tunnels from both ends are up. Both the internet circuits from both ends to which these IPSEC are passing thru are also clean with no packet drops whatsoever. Besides, from both sites perspective, there are other applications passing thru this tunnel and dont have any issues. The main problem is that, our business partner have these printers that needs to communciate to a print server hosted within our private network. Whenever they are using these printers to do batch (continuous) printing, the printers print label-by-label instead which makes the print processing slow.

The business end setup their network in a way in which, the IP addresses of these printers (example 172.26.229.202) are natted to 172.20.104.96/27. And then, this 172.20.104.96/27 is again natted to 172.20.104.26/26 before it goes out of their IPSEC.

At our end, to build the tunnel, we would only allow this 172.20.104.26/26 subnet. We had joint troubleshooting and so far could not find any issue when it comes to the IPSEC connectivity. And so we did a wireshark capture at the switch where the printers are connected via SPAN.

On the packet capture, we are able to see a lot of TCP out of order, TCP Retransmissions, and couple of TCP Dup ACKs between the source 172.20.104.126 (business internal natted IP) and destination 172.26.229.202 (physical IP of the printer).

Although there are a lot of this out of order, retransmissions, and dup Acks, there seems to be no RST and so we wondering if this messages are just normal behavior due to the natting being done at our business end. However, if anyone has different interpretation and can point out what is really causing the printers at our business partner end to do label-by-label printing instead of batch/continuous printing, would really be much appreciated.

Below are samples of TCP Out of Order, TCP Retransmission and TCP Dup ACK messages. Sorry for the long read :) I feel i have the need to explain the whole setup for better feedback.

Many Thanks, Van +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Out-of-order +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Frame 850: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
    Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8})
        Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb  1, 2019 09:08:26.540981000 China Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1548983306.540981000 seconds
    [Time delta from previous captured frame: 0.000022000 seconds]
    [Time delta from previous displayed frame: 0.000596000 seconds]
    [Time since reference or first frame: 30.552559000 seconds]
    Frame Number: 850
    Frame Length: 90 bytes (720 bits)
    Capture Length: 90 bytes (720 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: SoyalTec_00:82:e3 (00:13:57:00:82:e3), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb)
    Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        Address: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: SoyalTec_00:82:e3 (00:13:57:00:82:e3)
        Address: SoyalTec_00:82:e3 (00:13:57:00:82:e3)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 76
    Identification: 0x3621 (13857)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 62
    Protocol: TCP (6)
    Header checksum: 0x6013 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.20.104.126
    Destination: 172.26.229.202
Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0
    Source Port: 30012
    Destination Port: 9100
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    [Next sequence number: 0    (relative sequence number)]
    Acknowledgment number: 0
    1110 .... = Header Length: 56 bytes (14)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100]
                [Connection establish request (SYN): server port 9100]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window size value: 5840
    [Calculated window size: 5840]
    Checksum: 0x11a2 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL)
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
        TCP Option - Timestamps: TSval 2775837880, TSecr 0
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2775837880
            Timestamp echo reply: 0
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8
            Kind: Riverbed Probe (76)
            Length: 10
            0000 .... = Type: 0
            .... 0001 = Version: 1
            Reserved: 0x01
            CSH IP: 172.16.40.8
            Application Version: 5
        TCP Option - Riverbed Probe: Probe Query Info
            Kind: Riverbed Probe (76)
            Length: 4
            0000 110. = Type: 6
            .... ...0 = Version: 2
            Probe Flags: 0x05
                .... .1.. = Not CFE: Set
                .... ...1 = Last Notify: Set
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - End of Option List (EOL)
            Kind: End of Option List (0)
    [SEQ/ACK analysis]
        [iRTT: 0.019506000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Warning/Sequence): This frame is a (suspected) out-of-order segment]
                [This frame is a (suspected) out-of-order segment]
                [Severity level: Warning]
                [Group: Sequence]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000596000 seconds]
        [Time since previous frame in this TCP stream: 0.000596000 seconds]

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Retransmission +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Frame 917: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
    Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8})
        Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb  1, 2019 09:08:26.543396000 China Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1548983306.543396000 seconds
    [Time delta from previous captured frame: 0.000022000 seconds]
    [Time delta from previous displayed frame: 0.000022000 seconds]
    [Time since reference or first frame: 30.554974000 seconds]
    Frame Number: 917
    Frame Length: 90 bytes (720 bits)
    Capture Length: 90 bytes (720 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: SoyalTec_00:82:e1 (00:13:57:00:82:e1), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb)
    Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        Address: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: SoyalTec_00:82:e1 (00:13:57:00:82:e1)
        Address: SoyalTec_00:82:e1 (00:13:57:00:82:e1)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 76
    Identification: 0x3621 (13857)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 60
    Protocol: TCP (6)
    Header checksum: 0x6213 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.20.104.126
    Destination: 172.26.229.202
Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0
    Source Port: 30012
    Destination Port: 9100
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    [Next sequence number: 0    (relative sequence number)]
    Acknowledgment number: 0
    1110 .... = Header Length: 56 bytes (14)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100]
                [Connection establish request (SYN): server port 9100]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window size value: 5840
    [Calculated window size: 5840]
    Checksum: 0x11a2 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL)
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
        TCP Option - Timestamps: TSval 2775837880, TSecr 0
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2775837880
            Timestamp echo reply: 0
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8
            Kind: Riverbed Probe (76)
            Length: 10
            0000 .... = Type: 0
            .... 0001 = Version: 1
            Reserved: 0x01
            CSH IP: 172.16.40.8
            Application Version: 5
        TCP Option - Riverbed Probe: Probe Query Info
            Kind: Riverbed Probe (76)
            Length: 4
            0000 110. = Type: 6
            .... ...0 = Version: 2
            Probe Flags: 0x05
                .... .1.. = Not CFE: Set
                .... ...1 = Last Notify: Set
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - End of Option List (EOL)
            Kind: End of Option List (0)
    [SEQ/ACK analysis]
        [iRTT: 0.019506000 seconds]
        [TCP Analysis Flags]
            [Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
                [This frame is a (suspected) retransmission]
                [Severity level: Note]
                [Group: Sequence]
            [The RTO for this segment was: 0.003011000 seconds]
            [RTO based on delta from frame: 843] ------------------------> One thing we noticed about all the Retransmission packets, they refer to frame 843
    [Timestamps]
        [Time since first frame in this TCP stream: 0.003011000 seconds]
        [Time since previous frame in this TCP stream: 0.000022000 seconds]

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Frame 843 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Frame 843: 90 bytes on wire (720 bits), 90 bytes captured (720 bits) on interface 0
    Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8})
        Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb  1, 2019 09:08:26.540385000 China Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1548983306.540385000 seconds
    [Time delta from previous captured frame: 0.015030000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 30.551963000 seconds]
    Frame Number: 843
    Frame Length: 90 bytes (720 bits)
    Capture Length: 90 bytes (720 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb)
    Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        Address: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45)
        Address: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 76
    Identification: 0x3621 (13857)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 63
    Protocol: TCP (6)
    Header checksum: 0x5f13 [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.20.104.126
    Destination: 172.26.229.202
Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 0, Len: 0
    Source Port: 30012
    Destination Port: 9100
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 0    (relative sequence number)
    [Next sequence number: 0    (relative sequence number)]
    Acknowledgment number: 0
    1110 .... = Header Length: 56 bytes (14)
    Flags: 0x002 (SYN)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port 9100]
                [Connection establish request (SYN): server port 9100]
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ...0 = Fin: Not set
        [TCP Flags: ··········S·]
    Window size value: 5840
    [Calculated window size: 5840]
    Checksum: 0x11a2 [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (36 bytes), Maximum segment size, SACK permitted, Timestamps, No-Operation (NOP), Window scale, Riverbed Probe, Riverbed Probe, No-Operation (NOP), End of Option List (EOL)
        TCP Option - Maximum segment size: 1460 bytes
            Kind: Maximum Segment Size (2)
            Length: 4
            MSS Value: 1460
        TCP Option - SACK permitted
            Kind: SACK Permitted (4)
            Length: 2
        TCP Option - Timestamps: TSval 2775837880, TSecr 0
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2775837880
            Timestamp echo reply: 0
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Window scale: 2 (multiply by 4)
            Kind: Window Scale (3)
            Length: 3
            Shift count: 2
            [Multiplier: 4]
        TCP Option - Riverbed Probe: Probe Query, CSH IP: 172.16.40.8
            Kind: Riverbed Probe (76)
            Length: 10
            0000 .... = Type: 0
            .... 0001 = Version: 1
            Reserved: 0x01
            CSH IP: 172.16.40.8
            Application Version: 5
        TCP Option - Riverbed Probe: Probe Query Info
            Kind: Riverbed Probe (76)
            Length: 4
            0000 110. = Type: 6
            .... ...0 = Version: 2
            Probe Flags: 0x05
                .... .1.. = Not CFE: Set
                .... ...1 = Last Notify: Set
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - End of Option List (EOL)
            Kind: End of Option List (0)
    [Timestamps]
        [Time since first frame in this TCP stream: 0.000000000 seconds]
        [Time since previous frame in this TCP stream: 0.000000000 seconds]

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ TCP Dup Ack ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Frame 1482: 78 bytes on wire (624 bits), 78 bytes captured (624 bits) on interface 0
    Interface id: 0 (\Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8})
        Interface name: \Device\NPF_{0F213131-B451-48ED-AA0D-C97B2C7BFFD8}
    Encapsulation type: Ethernet (1)
    Arrival Time: Feb  1, 2019 09:08:26.582652000 China Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1548983306.582652000 seconds
    [Time delta from previous captured frame: 0.000023000 seconds]
    [Time delta from previous displayed frame: 0.000023000 seconds]
    [Time since reference or first frame: 30.594230000 seconds]
    Frame Number: 1482
    Frame Length: 78 bytes (624 bits)
    Capture Length: 78 bytes (624 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:tcp]
    [Coloring Rule Name: Bad TCP]
    [Coloring Rule String: tcp.analysis.flags && !tcp.analysis.window_update]
Ethernet II, Src: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45), Dst: Intermec_57:8c:bb (00:10:40:57:8c:bb)
    Destination: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        Address: Intermec_57:8c:bb (00:10:40:57:8c:bb)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45)
        Address: Cisco_2e:2e:45 (c8:f9:f9:2e:2e:45)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.20.104.126, Dst: 172.26.229.202
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 64
    Identification: 0x3623 (13859)
    Flags: 0x4000, Don't fragment
        0... .... .... .... = Reserved bit: Not set
        .1.. .... .... .... = Don't fragment: Set
        ..0. .... .... .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment offset: 0
    Time to live: 63
    Protocol: TCP (6)
    Header checksum: 0x5f1d [validation disabled]
    [Header checksum status: Unverified]
    Source: 172.20.104.126
    Destination: 172.26.229.202
Transmission Control Protocol, Src Port: 30012, Dst Port: 9100, Seq: 1, Ack: 1, Len: 0
    Source Port: 30012
    Destination Port: 9100
    [Stream index: 1]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 1    (relative sequence number)]
    Acknowledgment number: 1    (relative ack number)
    1011 .... = Header Length: 44 bytes (11)
    Flags: 0x010 (ACK)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...1 .... = Acknowledgment: Set
        .... .... 0... = Push: Not set
        .... .... .0.. = Reset: Not set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: ·······A····]
    Window size value: 1460
    [Calculated window size: 5840]
    [Window size scaling factor: 4]
    Checksum: 0xd51a [unverified]
    [Checksum Status: Unverified]
    Urgent pointer: 0
    Options: (24 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps, No-Operation (NOP), No-Operation (NOP), SACK
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - Timestamps: TSval 2775837922, TSecr 16458870
            Kind: Time Stamp Option (8)
            Length: 10
            Timestamp value: 2775837922
            Timestamp echo reply: 16458870
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - No-Operation (NOP)
            Kind: No-Operation (1)
        TCP Option - SACK 0-1
    [SEQ/ACK analysis]
        [iRTT: 0.019506000 seconds]
        [TCP Analysis Flags]
            [This is a TCP duplicate ack]
        [Duplicate ACK #: 1]
        [Duplicate to the ACK in frame: 1481]
            [Expert Info (Note/Sequence): Duplicate ACK (#1)]
                [Duplicate ACK (#1)]
                [Severity level: Note]
                [Group: Sequence]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.042267000 seconds]
        [Time since previous frame in this TCP stream: 0.000023000 seconds]

seconds]