I presume that your router is doing NAT translation.
When a NAT firewall router receives a TCP connection request (SYN) from the
Internet, it creates a separate TCP connection from itself to the machine
on the internal network, and the reverse when the connection request comes
from an internal computer. It needs to do this because the IP address of
the real internal machine is different from the IP address seen by the
external machine, and also because it usually needs to change the port
number. Each TCP connection that goes through a NAT router is therefore
actually two separate TCP connections, one between the external machine and
the router and one between the router and the internal machine.
When the router receives a packet from an external or internal connection,
it sends that packet on the matching other connection with new source IP
address and port. The sequence numbers might or might not be the same.
At 08:11 AM 1/23/2006, fonte fonte wrote:
Hi all.
I wish to have some inputs on my capture findings. Before that I will
describe the case scenario.
Initially, I have a FTP server installed at my college, was given a
specific IP for it and going through the college gateway to the outside
world. On the client side, I was using GPRS dial up to access my server
and I use Ethereal to capture at both sides while downloading the file.
After a while, the college decided they couldn't allow me to put my server
there anymore due to some firewall issue etc. As a result, I relocated my
server to my home and put it behind a Linksys wireless router and
connected it through my broadband internet.
However, when I compared the captures I got from both situations, it
differed somewhat. Basically, when my server was at my college,
server-client captures more or less matched each other - this I refer to
the Info column of Ethereal display window. Exam ple is on the first SYN sent.
From server capture:
source = client, destination = server:
3050 > ftp [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1380 TSV=0 TSER=0
In Packet Details pane, Options = 20 bytes
From client capture:
source = client, destination = server
3050 > ftp [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1460 TSV=0 TSER=0
In Packet Details pane, Options = 20 bytes
Here, the only different I notice is the MSS value. Why was the MSS value
different?
I ran the two captures through tcptrace and I noticed a small amount of
packet retransmissions. From the server capture, 5 packets were
retransmitted on the server-to-client direction when downloading file.
From the client capture, 2 packets were retransmitted on the
server-to-client direction.
Now, when my server was relocated to my home, somehow the server-client
captures differed greatly and I know this is most probably be due to the
changed network architecture. Nevertheless I wish for a detail explanation
on it. Example is also on the first SYN sent.
From server capture:
source = client, destination = server:
23395 > ftp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1380
In Packet Details pane, Options = 4 bytes
From client capture:
source = client, destination = server
3031 > ftp [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460 TSV=0 TSER=0
In Packet Details pane, Options = 20 bytes
Here, port number, Win, MSS and Options values were different. Can anyone
please help explain why? I hadn't changed any settings in both
server-client systems.
On tcptrace, a more bizarre findings. From the server capture, 3 packets
were retransmitted on the server-to-client direction when downloading
file. From the client capture, 251 packets were retransmitted on the
server-to-client direction. I a m totally lost! In Ethereal, these are a
mix of retransmitted and out-of-order packets. Please anyone, any input is
really appreciated.
One more thing, when I opened the client capture which consists of this
too many retransmitted packets, I get an error 'The capture file appears
to have been cut short in the middle of a packet'. I'm using version 0.10.13.
I hope my case is really clear. I had not attached any capture (one is
about 1000+ KB) however if it is needed I would email it.
Any input, suggestion, comment, feedback is greatly appreciated.
Thanks all.
