Wireshark · Ethereal-dev: [Ethereal-dev] Retransmissions

Ethereal-dev: [Ethereal-dev] Retransmissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Don Lafontaine <lafont02@xxxxx>

Date: Wed, 15 Sep 2004 09:41:26 -0400

I ran across a small problem with retransmissions that are false positives.

Here's two packets, one that was labelled a retransmission:

---------------------------------------[Snip]------------------------------------------------------------------------

No. Time Source Destination ProtocolInfo16 0.107557 165.115.62.75 216.240.70.39 SSLv3Continuation Data, [Unreassembled Packet]


Frame 16 (594 bytes on wire, 594 bytes captured)
Ethernet II, Src: 00:30:48:2a:57:69, Dst: 00:50:5a:73:3e:01

Internet Protocol, Src Addr: 165.115.62.75 (165.115.62.75), Dst Addr:216.240.70.39 (216.240.70.39)Transmission Control Protocol, Src Port: https (443), Dst Port: 1131(1131), Seq: 1072, Ack: 0, Len: 536

   Source port: https (443)
   Destination port: 1131 (1131)
   Sequence number: 1072    (relative sequence number)
   Next sequence number: 1608    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0010 (ACK)
   Window size: 5840
   Checksum: 0x1dd3 (correct)
Secure Socket Layer
[Unreassembled Packet: SSL]

No. Time Source Destination ProtocolInfo19 0.109021 165.115.62.75 216.240.70.39 SSLv3[TCP Retransmission] Continuation Data, [Unreassembled Packet]


Frame 19 (594 bytes on wire, 594 bytes captured)
Ethernet II, Src: 00:a0:8e:77:e6:19, Dst: 00:a0:8e:77:a5:75

   Source port: https (443)
   Destination port: 1131 (1131)
   Sequence number: 1072    (relative sequence number)
   Next sequence number: 1608    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0010 (ACK)
   Window size: 5840
   Checksum: 0x1dd3 (correct)
   SEQ/ACK analysis
Secure Socket Layer
[Unreassembled Packet: SSL]

---------------------------------------------------------[EOS]--------------------------------------------------------------

The problem is that this packet is only a retransmission at the TCPlevel, but in actual fact it is a copy of a packet between completelydifferent MAC addresses. The reason I am seeing this is because of loadbalanced firewalls exchanging each packet between themselves. Let's nottalk about the evilness of this occuring on the network, but look atpossibly changing the way ethereal decides if a packet is a retransmission.


Don Lafontaine

Follow-Ups:
- Re: [Ethereal-dev] Retransmissions
  - From: ronnie sahlberg

Prev by Date: [Ethereal-dev] RTCP: Calculating roundtrip-propagation delay
Next by Date: RE: [Ethereal-dev] non-ethernet use of ethereal
Previous by thread: Re: [Ethereal-dev] RTCP: Calculating roundtrip-propagation delay
Next by thread: Re: [Ethereal-dev] Retransmissions
Index(es):
- Date
- Thread