Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Same SEQ number but different ACKs

From: Sake Blok <sake@xxxxxxxxxx>
Date: Sun, 13 Apr 2008 15:11:36 +0200
On Sun, Apr 13, 2008 at 08:39:04AM -0400, Sheahan, John wrote:
> I thought I was on to something with the SEQ numbers and ACKs but I was
> wrong so I'm back to the quesion of "why is my proxy server sending a
> RST at the end of every HTTPS conversation from one server?".
>  
> I tried running this through Wireshark's Expert and it came up with no
> errors, that would be the first way to rule out that SEQ numbers or ACKs
> were out being incorrectly sent by the application, correct? If so, I
> probably should have done this prior to my first post :-)

Not really, expert info is just a mechanism of pointing to interesting
frames in the capture file. It is not a quick check on the trace file
although sometimes using expert info might indeed point to a problem.

> I debugged my firewall and don't see any RSTs coming from my remote
> destination to my proxy, I only see the RSTs coming from my proxy to my
> client. I have sniffed other HTTPS conversations from other clients
> using the same Squid proxy but don't ever see any resets so I'm trying
> to figure out what is unique about these conversations. I also checked
> with the Squid forum and this is not any type of bug.

There are quite a few browser-workarounds in ssl session termination. So
it could be the browser version that triggers this behavior of the 
proxy sending RST packets. I know older versions of IE needed a RST
instead of clean ssl shutdown (Encrypted alert, FIN/ACK/FIN/ACK).

> Here is the a snippet of the conversation in text format:

It is more useful to send this as a capture file so that it can 
be loaded into wireshark for analysis. At least src and dst are 
really useful in determining what is really happening:

> Application Data
> 08:55:53.042000
> http-alt > 4694 [FIN, ACK] Seq=23503 Ack=966 Win=64860 Len=0
> 08:55:53.042000
> 4694 > http-alt [ACK] Seq=966 Ack=23503 Win=63900 Len=0
> 08:55:53.042000
> 4694 > http-alt [ACK] Seq=966 Ack=23504 Win=65462 Len=0
> 08:55:53.042000
> Encrypted Alert
> 08:55:53.042000
> 4694 > http-alt [FIN, ACK] Seq=989 Ack=23503 Win=65535 Len=0
> 08:55:53.042000
> http-alt > 4694 [RST] Seq=23504 Win=64860 Len=0
> 08:55:53.042999

Which direction did the "Encrypted Alert" go? Was it client to proxy?
Or proxy to client?

Cheers,
    Sake