Wireshark-users: Re: [Wireshark-users] Bad TCP - Why ?
From: Forthofer Russ <Russ.Forthofer@xxxxxxxxx>
Date: Thu, 18 Feb 2010 08:28:19 -0500
I don't believe it is necessarily indicating a problem -
rather it is indicating that tcp.analysis exists in the packet - i.e., Expert
Info is available. The same rule would fire for conditions
such as duplicate ack, previous segment lost and tcp out of order. You can
change the colorization by placing more specific rules in the colorization
rules (in front of "Bad TCP") or by disabling this particular rule or by adding
conditions to the "Bad TCP" rule where you don't want the rule
fired.
Hello Folks
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Steve Smith
Sent: Thursday, February 18, 2010 4:06 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] Bad TCP - Why ?
Can anyone tell me why Wireshark decides these TCP keep-alives are bad ? It's not the checksum.
Any help would be much appreciated.
Below is an export of packets 28-31
Thanks for any assistance.
No. Time Source Destination Protocol Info
28 52.431700 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 28 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.717539000
[Time delta from previous captured frame: 7.198603000 seconds]
[Time delta from previous displayed frame: 7.198603000 seconds]
[Time since reference or first frame: 52.431700000 seconds]
Frame Number: 28
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0565 (1381)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x82f3 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 7.198603000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
29 52.468294 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 29 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.754133000
[Time delta from previous captured frame: 0.036594000 seconds]
[Time delta from previous displayed frame: 0.036594000 seconds]
[Time since reference or first frame: 52.468294000 seconds]
Frame Number: 29
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec02 (60418)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b55 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
30 59.931091 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 30 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.216930000
[Time delta from previous captured frame: 7.462797000 seconds]
[Time delta from previous displayed frame: 7.462797000 seconds]
[Time since reference or first frame: 59.931091000 seconds]
Frame Number: 30
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xf3b3 (62387)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x94a4 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 29]
[The RTT to ACK the segment was: 7.462797000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
31 59.939739 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 31 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.225578000
[Time delta from previous captured frame: 0.008648000 seconds]
[Time delta from previous displayed frame: 0.008648000 seconds]
[Time since reference or first frame: 59.939739000 seconds]
Frame Number: 31
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec04 (60420)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b53 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.
- Follow-Ups:
- Re: [Wireshark-users] Bad TCP - Why ?
- From: Guy Harris
- Re: [Wireshark-users] Bad TCP - Why ?
- References:
- [Wireshark-users] Bad TCP - Why ?
- From: Steve Smith
- [Wireshark-users] Bad TCP - Why ?
- Prev by Date: [Wireshark-users] Turn Truncation off
- Next by Date: Re: [Wireshark-users] Bad TCP - Why ?
- Previous by thread: [Wireshark-users] Bad TCP - Why ?
- Next by thread: Re: [Wireshark-users] Bad TCP - Why ?
- Index(es):
- Get Wireshark
- Download
- Code of Conduct