Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] tcpdump

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sat, 19 Jun 2010 15:02:26 -0700
On Jun 18, 2010, at 5:53 PM, Kaushal Shriyan wrote:

> root@host0130:~# tcpdump -r tcpdump
> reading from file tcpdump, link-type EN10MB (Ethernet)
> 13:51:20.256698 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530663 0,nop,wscale 7>
> 13:51:23.254569 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052530963 0,nop,wscale 7>
> 13:51:29.254568 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052531563 0,nop,wscale 7>
> 13:51:41.254565 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052532763 0,nop,wscale 7>
> 13:52:05.254567 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052535163 0,nop,wscale 7>

Those appear to be repeated retransmissions of the same TCP segment.

> 13:52:35.633372 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 933727155:933727155(0) win 0

That appears to be a RST sent by AES-Static-IP.airtel.in - it doesn't seem to think the connection between host0130.example.com, port 36825, and AES-Static-IP.airtel.in, port 80, exists, even though host0130.example.com does think it exists, as it's sending a TCP segment for that connection.

> 13:52:53.254571 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 1460,sackOK,timestamp 2052539963 0,nop,wscale 7>

host0130.example.com doesn't appear to have understood that AES-Static-IP.airtel is saying "that connection doesn't exist", as it persists in trying to send that TCP segment...

> 13:53:23.464374 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 458396600:458396600(0) win 0

...so AES-Static-IP.airtel.in tries again...

> 13:54:05.420054 IP host0130.example.com.35821 > AES-Static-IP.airtel.in.www: S 714058707:714058707(0) win 5840 <mss 1460,sackOK,timestamp 2052547179 0,nop,wscale 7>

...to no avail.

I don't know what link you're capturing on, but if you're not capturing on a link to which host0130 is directly connected or to which AES-Static-IP.airtel.in is directly connected, I suspect that the traffic from host0130 to AES-Static-IP.airtel.in is getting dropped by some host further along the route (so that the TCP segments it's sending aren't being seen by AES-Static-IP.airtel.in and thus not acked) and that the traffic from AES-Static-IP.airtel.in to host0130 is getting lost by some host further along the route (so that the RSTs it's sending aren't being seen by host0130).
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube