Wireshark · Ethereal-users: Re: [Ethereal-users] Server-Client Discrepancy

[fonte fonte <fonte_monte@xxxxxxxxx>]

Yes, the sequence number is different. Is there a way for me to trace and compare packets from the server side to the one from the client side when they have different sequence number?

If I disable the NAT firewall, will it solve the above problem?

Thanks

To: Ethereal user support <ethereal-users@xxxxxxxxxxxx>
From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Subject: Re: [Ethereal-users] Server-Client Discrepancy

I presume that your router is doing NAT translation.

When a NAT firewall router receives a TCP connection request (SYN) from the
Internet, it creates a separate TCP connection from itself to the machine
on the internal network, and the reverse when the connection request comes
from an internal computer. It needs to do this because the IP address of
the real internal machine is different from the IP address seen by the
external machine, and also because it usually needs to change the port
number. Each TCP connection that goes through a NAT router is therefore
actually two separate TCP connections, one between the external machine and
the router and one between the router and the internal machine.

When the router receives a packet from an external or internal connection,
it sends that packet on the matching other connection with new source IP
address and port. The sequence numbers might or might not be the same.

At 08:11 AM 1/23/2006, fonte fonte wrote:
>Hi all.
>
>I wish to have some inputs on my capture findings. Before that I will
>describe the case scenario.
>
>Initially, I have a FTP server installed at my college, was given a
>specific IP for it and going through the college gateway to the outside
>world. On the client side, I was using GPRS dial up to access my server
>and I use Ethereal to capture at both sides while downloading the file.
>
>After a while, the college decided they couldn't allow me to put my server
>there anymore due to some firewall issue etc. As a result, I relocated my
>server to my home and put it behind a Linksys wireless router and
>connected it through my broadband internet.
>
>However, when I compared the captures I got from both situations, it
>differed somewhat. Basically, when my server was at my college,
>server-client captures more or less matched each other - this I refer to
>the Info column of Ethereal display window. Exam ple is on the first SYN sent.
>
> From server capture:
>source = client, destination = server:
>3050 > ftp [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1380 TSV=0 TSER=0
>In Packet Details pane, Options = 20 bytes
>
> From client capture:
>source = client, destination = server
>3050 > ftp [SYN] Seq=0 Ack=0 Win=32768 Len=0 MSS=1460 TSV=0 TSER=0
>In Packet Details pane, Options = 20 bytes
>
>Here, the only different I notice is the MSS value. Why was the MSS value
>different?
>
>I ran the two captures through tcptrace and I noticed a small amount of
>packet retransmissions. From the server capture, 5 packets were
>retransmitted on the server-to-client direction when downloading file.
> From the client capture, 2 packets were retransmitted on the
>server-to-client direction.
>
>Now, when my server was relocated to my home, somehow the server-client
>captures differed greatly and I know this is most probably be due to the
>changed network architecture. Nevertheless I wish for a detail explanation
>on it. Example is also on the first SYN sent.
>
> From server capture:
>source = client, destination = server:
>23395 > ftp [SYN] Seq=0 Ack=0 Win=5840 Len=0 MSS=1380
>In Packet Details pane, Options = 4 bytes
>
> From client capture:
>source = client, destination = server
>3031 > ftp [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460 TSV=0 TSER=0
>In Packet Details pane, Options = 20 bytes
>
>Here, port number, Win, MSS and Options values were different. Can anyone
>please help explain why? I hadn't changed any settings in both
>server-client systems.
>
>On tcptrace, a more bizarre findings. From the server capture, 3 packets
>were retransmitted on the server-to-client direction when downloading
>file. From the client capture, 251 packets were retransmitted on the
>server-to-client direction. I a m totally lost! In Ethereal, these are a
>mix of retransmitted and out-of-order packets. Please anyone, any input is
>really appreciated.
>
>One more thing, when I opened the client capture which consists of this
>too many retransmitted packets, I get an error 'The capture file appears
>to have been cut short in the middle of a packet'. I'm using version 0.10.13.
>
>I hope my case is really clear. I had not attached any capture (one is
>about 1000+ KB) however if it is needed I would email it.
>
>Any input, suggestion, comment, feedback is greatly appreciated.
>
>Thanks all.

_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users

---

Bring words and photos together (easily) with
 
PhotoMail  - it's free and works with Yahoo! Mail.