thr3ads.net - freebsd stable - ACK and RST packets sent after successfully terminating TCP connection [Feb 2010]

If this information is useful, please help other people find it:
Share via:

n j

2010-Feb-15 09:55 UTC

ACK and RST packets sent after successfully terminating TCP connection

Hi all,

I'm reposting this from the freebsd-questions hoping for some answers.
I feel there is something wrong here, but would really appreciate a
second opinion before opening a bug report. The problematic part is
marked with [what is this?].

- in case of successful connection:

[begin handshake]
14:52:57.866040 IP client.example.net.6524 > server.example.net.9002:
S 813851098:813851098(0) win 8192 <mss 1380,nop,wscale
2,nop,nop,sackOK>
14:52:57.866057 IP server.example.net.9002 > client.example.net.6524:
S 3888621507:3888621507(0) ack 813851099 win 65535 <mss
1380,nop,wscale 3,sackOK,eol>
14:52:57.867143 IP client.example.net.6524 > server.example.net.9002:
. ack 3888621508 win 16560
[end handshake & begin data]
14:52:57.868333 IP client.example.net.6524 > server.example.net.9002:
P 813851099:813852180(1081) ack 3888621508 win 16560
14:52:57.967858 IP server.example.net.9002 > client.example.net.6524:
. ack 813852180 win 8144
14:53:35.533165 IP server.example.net.9002 > client.example.net.6524:
P 3888621508:3888621542(34) ack 813852180 win 8144
[end data & begin teardown]
14:53:35.564542 IP server.example.net.9002 > client.example.net.6524:
FP 3888621542:3888621675(133) ack 813852180 win 8280
14:53:35.566228 IP client.example.net.6524 > server.example.net.9002:
. ack 3888621676 win 16518
14:53:35.566289 IP client.example.net.6524 > server.example.net.9002:
F 813852180:813852180(0) ack 3888621676 win 16518
14:53:35.566318 IP server.example.net.9002 > client.example.net.6524:
. ack 813852181 win 8279
[end teardown]
[what is this?]
14:53:36.172081 IP server.example.net.9002 > client.example.net.6524:
. ack 813852180 win 0
14:53:36.172101 IP server.example.net.9002 > client.example.net.6524:
. ack 813852181 win 8279

- in case of unsuccessful connection:

[begin handshake]
14:53:00.411337 IP client.example.net.6547 > server.example.net.9002:
S 1055031875:1055031875(0) win 8192 <mss 1380,nop,wscale
2,nop,nop,sackOK>
14:53:00.411354 IP server.example.net.9002 > client.example.net.6547:
S 2849043653:2849043653(0) ack 1055031876 win 65535 <mss
1380,nop,wscale 3,sackOK,eol>
14:53:00.412242 IP client.example.net.6547 > server.example.net.9002:
. ack 2849043654 win 16560
[end handshake & reset connection]
14:53:00.412251 IP server.example.net.9002 > client.example.net.6547:
R 2849043654:2849043654(0) win 0
[what is this?]
14:53:01.168076 IP server.example.net.9002 > client.example.net.6547:
. ack 1055031876 win 0
14:53:01.168100 IP server.example.net.9002 > client.example.net.6547:
R 2849043654:2849043654(0) win 0
14:53:01.168393 IP client.example.net.6547 > server.example.net.9002:
R 1055031876:1055031876(0) ack 2849043653 win 0

The server is running 7.2 GENERIC.

Thanks,
--
Nino

Jeremy Chadwick

2010-Feb-15 10:11 UTC

head link

ACK and RST packets sent after successfully terminating TCP connection

On Mon, Feb 15, 2010 at 10:30:31AM +0100, n j wrote:> Hi all,
> 
> I'm reposting this from the freebsd-questions hoping for some answers.
> I feel there is something wrong here, but would really appreciate a
> second opinion before opening a bug report. The problematic part is
> marked with [what is this?].
> 
> - in case of successful connection:
> 
> [begin handshake]
> 14:52:57.866040 IP client.example.net.6524 > server.example.net.9002:
> S 813851098:813851098(0) win 8192 <mss 1380,nop,wscale
> 2,nop,nop,sackOK>
> 14:52:57.866057 IP server.example.net.9002 > client.example.net.6524:
> S 3888621507:3888621507(0) ack 813851099 win 65535 <mss
> 1380,nop,wscale 3,sackOK,eol>
> 14:52:57.867143 IP client.example.net.6524 > server.example.net.9002:
> . ack 3888621508 win 16560
> [end handshake & begin data]
> 14:52:57.868333 IP client.example.net.6524 > server.example.net.9002:
> P 813851099:813852180(1081) ack 3888621508 win 16560
> 14:52:57.967858 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852180 win 8144
> 14:53:35.533165 IP server.example.net.9002 > client.example.net.6524:
> P 3888621508:3888621542(34) ack 813852180 win 8144
> [end data & begin teardown]
> 14:53:35.564542 IP server.example.net.9002 > client.example.net.6524:
> FP 3888621542:3888621675(133) ack 813852180 win 8280
> 14:53:35.566228 IP client.example.net.6524 > server.example.net.9002:
> . ack 3888621676 win 16518
> 14:53:35.566289 IP client.example.net.6524 > server.example.net.9002:
> F 813852180:813852180(0) ack 3888621676 win 16518
> 14:53:35.566318 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852181 win 8279
> [end teardown]
> [what is this?]
> 14:53:36.172081 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852180 win 0
> 14:53:36.172101 IP server.example.net.9002 > client.example.net.6524:
> . ack 813852181 win 8279
> 
> - in case of unsuccessful connection:
> 
> [begin handshake]
> 14:53:00.411337 IP client.example.net.6547 > server.example.net.9002:
> S 1055031875:1055031875(0) win 8192 <mss 1380,nop,wscale
> 2,nop,nop,sackOK>
> 14:53:00.411354 IP server.example.net.9002 > client.example.net.6547:
> S 2849043653:2849043653(0) ack 1055031876 win 65535 <mss
> 1380,nop,wscale 3,sackOK,eol>
> 14:53:00.412242 IP client.example.net.6547 > server.example.net.9002:
> . ack 2849043654 win 16560
> [end handshake & reset connection]
> 14:53:00.412251 IP server.example.net.9002 > client.example.net.6547:
> R 2849043654:2849043654(0) win 0
> [what is this?]
> 14:53:01.168076 IP server.example.net.9002 > client.example.net.6547:
> . ack 1055031876 win 0
> 14:53:01.168100 IP server.example.net.9002 > client.example.net.6547:
> R 2849043654:2849043654(0) win 0
> 14:53:01.168393 IP client.example.net.6547 > server.example.net.9002:
> R 1055031876:1055031876(0) ack 2849043653 win 0
> 
> The server is running 7.2 GENERIC.
Is it possible for you to upload these captures somewhere on the web?
tcpdump -p -i {iface} -s 0 -n -w {somefile} should be sufficient.

Thanks.

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

n j

2010-Feb-15 21:08 UTC

head link

ACK and RST packets sent after successfully terminating TCP connection

Hello Jeremy,
> Is it possible for you to upload these captures somewhere on the web?
> tcpdump -p -i {iface} -s 0 -n -w {somefile} should be sufficient.
You can find the two pcaps at http://drop.io/llwiy8o. IP addresses and
the data have been anonymized, everything else has been left intact.
There was no ICMP traffic between the hosts. Thanks for looking into
it!

Regards,
-- 
Nino

freebsd stable - Feb 2010 - ACK and RST packets sent after successfully terminating TCP connection

ACK and RST packets sent after successfully terminating TCP connection

ACK and RST packets sent after successfully terminating TCP connection

ACK and RST packets sent after successfully terminating TCP connection