On Fri, Aug 29, 2008 at 12:00:01PM +0200, Kenneth Bergholm wrote:
> I'm new to Wireshark and trying to learn howto interpret/analyze the
> data.
> One thing I'm wondering of is the output TCP Port numbers reused.....
> I see this from one particular IP net that uses our service and only for
> that net, not any of the other nets that uses our service.
> I also see alot of RST packages regarding that net. I'm analyzing the data
> that goes through our router at the site.
> How should I interpret the output TCP Port numbers reused
It means that within the capture file that you are viewing with
wireshark, there is a SYN packet seen with the same ip-addresses
and ports for which traffic has already been seen.
In itself, this is no problem, it is perfectly legal to have two
TCP sessions after one another which have the same addresses and
ports, as long as the first session is terminated before the
second session begins.
> what impact can it have for the clients on that net?
Well, the source and the destination system keep track of sessions
so as long as they are OK with setting up sessions with the same
ip addresses and ports, there is no porblem. But... firewalls,
loadbalancers, ids systems and other systems that do something
active with the traffic might keep state information. Even for a little
while after the session has been terminated. It could be that one of
those devices is sending out the RST packets because the new SYN's are
matching older sessions.
Have a look at the TCP timers (especially TIME_WAIT) if you think this
might be the source of the problem you are investigating.
Also, a typical client would run through a lot of sourceports before
using the same source port again. So either these systems are opening a
lot of tcp sessions, or in fact the src-ip's you see in your trace are
actually from a natting device with many hosts behind it.
Hope this helps,
Cheers,
Sake
