From: Bit Gossip (bit.gossip@chello.nl)
Date: Wed Mar 18 2009 - 13:46:40 ART
This is a nasty one....
It is an excerpt from an ftp session from 100.100.183.204 to
100.100.171.254 where 254 is downloading a big file from 204.
204 sends chunks of data and 254 acks them.
All the acknowledgments from 254 have seq=1 because they dont contains
data, and 204 apparently acknowledges them by setting ACK flag and ACK=1
(=seq number) in its data packets. This is strange but still ok.
Why then 204 (the data sender, not receiver) is sending duplicate ack
for seq=1?
Hope someone can help me.......
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No. Time Source Destination Protocol
Info
136 20.816004 100.100.183.204 100.100.171.254
FTP-DATA FTP Data: 1448 bytes
Frame 136 (1514 bytes on wire, 96 bytes captured)
Arrival Time: Mar 18, 2009 12:14:22.083304000
[Time delta from previous captured frame: 0.000004000 seconds]
[Time delta from previous displayed frame: 0.000004000 seconds]
[Time since reference or first frame: 20.816004000 seconds]
Frame Number: 136
Frame Length: 1514 bytes
Capture Length: 96 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp:ftp-data]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
<...>
Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
100.100.171.254 (100.100.171.254)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
0x00)
0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1500
Identification: 0x16e0 (5856)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x100c [correct]
[Good: True]
[Bad : False]
Source: 100.100.183.204 (100.100.183.204)
Destination: 100.100.171.254 (100.100.171.254)
Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
(62304), Seq: 110049, Ack: 1, Len: 1448
Source port: ftp-data (20)
Destination port: 62304 (62304)
Sequence number: 110049 (relative sequence number)
[Next sequence number: 111497 (relative sequence number)]
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0x13f7 [unchecked, not all data available]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 3203281847, TSecr 3574178296
FTP Data
FTP Data: .\325\020\326=#2j\021\000@~\005\000\000\000\000\000\366
\375\356r\000\000\021\022\001\000\376D
No. Time Source Destination Protocol
Info
137 20.816357 100.100.171.254 100.100.183.204 TCP
62304 > ftp-data [ACK] Seq=1 Ack=63713 Win=65160 Len=0 TSV=3574178294
TSER=3203281821
Frame 137 (66 bytes on wire, 66 bytes captured)
Arrival Time: Mar 18, 2009 12:14:22.083657000
[Time delta from previous captured frame: 0.000353000 seconds]
[Time delta from previous displayed frame: 0.000353000 seconds]
[Time since reference or first frame: 20.816357000 seconds]
Frame Number: 137
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Internet Protocol, Src: 100.100.171.254 (100.100.171.254), Dst:
100.100.183.204 (100.100.183.204)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
0x00)
0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x5a77 (23159)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 62
Protocol: TCP (0x06)
Header checksum: 0xd41c [correct]
[Good: True]
[Bad : False]
Source: 100.100.171.254 (100.100.171.254)
Destination: 100.100.183.204 (100.100.183.204)
Transmission Control Protocol, Src Port: 62304 (62304), Dst Port:
ftp-data (20), Seq: 1, Ack: 63713, Len: 0
Source port: 62304 (62304)
Destination port: ftp-data (20)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 63713 (relative ack number)
Header length: 32 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 65160 (scaled)
Checksum: 0x1b67 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 3574178294, TSecr 3203281821
No. Time Source Destination Protocol
Info
138 20.816365 100.100.183.204 100.100.171.254 TCP
[TCP Dup ACK 136#1] ftp-data > 62304 [ACK] Seq=111497 Ack=1 Win=5840
Len=0 TSV=3203281847 TSER=3574178296
Frame 138 (66 bytes on wire, 66 bytes captured)
Arrival Time: Mar 18, 2009 12:14:22.083665000
[Time delta from previous captured frame: 0.000008000 seconds]
[Time delta from previous displayed frame: 0.000008000 seconds]
[Time since reference or first frame: 20.816365000 seconds]
Frame Number: 138
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
100.100.171.254 (100.100.171.254)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
0x00)
0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x16e2 (5858)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x15b2 [correct]
[Good: True]
[Bad : False]
Source: 100.100.183.204 (100.100.183.204)
Destination: 100.100.171.254 (100.100.171.254)
Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
(62304), Seq: 111497, Ack: 1, Len: 0
Source port: ftp-data (20)
Destination port: 62304 (62304)
Sequence number: 111497 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0xda32 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 3203281847, TSecr 3574178296
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 137]
[The RTT to ACK the segment was: 0.000008000 seconds]
[TCP Analysis Flags]
[This is a TCP duplicate ack]
[Duplicate ACK #: 1]
[Duplicate to the ACK in frame: 136]
No. Time Source Destination Protocol
Info
139 20.816483 100.100.171.254 100.100.183.204 TCP
62304 > ftp-data [ACK] Seq=1 Ack=65161 Win=66608 Len=0 TSV=3574178294
TSER=3203281825
Frame 139 (66 bytes on wire, 66 bytes captured)
Arrival Time: Mar 18, 2009 12:14:22.083783000
[Time delta from previous captured frame: 0.000118000 seconds]
[Time delta from previous displayed frame: 0.000118000 seconds]
[Time since reference or first frame: 20.816483000 seconds]
Frame Number: 139
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Internet Protocol, Src: 100.100.171.254 (100.100.171.254), Dst:
100.100.183.204 (100.100.183.204)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
0x00)
0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x5a78 (23160)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 62
Protocol: TCP (0x06)
Header checksum: 0xd41b [correct]
[Good: True]
[Bad : False]
Source: 100.100.171.254 (100.100.171.254)
Destination: 100.100.183.204 (100.100.183.204)
Transmission Control Protocol, Src Port: 62304 (62304), Dst Port:
ftp-data (20), Seq: 1, Ack: 65161, Len: 0
Source port: 62304 (62304)
Destination port: ftp-data (20)
Sequence number: 1 (relative sequence number)
Acknowledgement number: 65161 (relative ack number)
Header length: 32 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 66608 (scaled)
Checksum: 0x12e7 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 3574178294, TSecr 3203281825
No. Time Source Destination Protocol
Info
140 20.816490 100.100.183.204 100.100.171.254 TCP
[TCP Dup ACK 136#2] ftp-data > 62304 [ACK] Seq=111497 Ack=1 Win=5840
Len=0 TSV=3203281847 TSER=3574178296
Frame 140 (66 bytes on wire, 66 bytes captured)
Arrival Time: Mar 18, 2009 12:14:22.083790000
[Time delta from previous captured frame: 0.000007000 seconds]
[Time delta from previous displayed frame: 0.000007000 seconds]
[Time since reference or first frame: 20.816490000 seconds]
Frame Number: 140
Frame Length: 66 bytes
Capture Length: 66 bytes
[Frame is marked: True]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Internet Protocol, Src: 100.100.183.204 (100.100.183.204), Dst:
100.100.171.254 (100.100.171.254)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x08 (DSCP 0x02: Unknown DSCP; ECN:
0x00)
0000 10.. = Differentiated Services Codepoint: Unknown (0x02)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x16e4 (5860)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (0x06)
Header checksum: 0x15b0 [correct]
[Good: True]
[Bad : False]
Source: 100.100.183.204 (100.100.183.204)
Destination: 100.100.171.254 (100.100.171.254)
Transmission Control Protocol, Src Port: ftp-data (20), Dst Port: 62304
(62304), Seq: 111497, Ack: 1, Len: 0
Source port: ftp-data (20)
Destination port: 62304 (62304)
Sequence number: 111497 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
Header length: 32 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 5840 (scaled)
Checksum: 0xda32 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Options: (12 bytes)
NOP
NOP
Timestamps: TSval 3203281847, TSecr 3574178296
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 139]
[The RTT to ACK the segment was: 0.000007000 seconds]
[TCP Analysis Flags]
[This is a TCP duplicate ack]
[Duplicate ACK #: 2]
[Duplicate to the ACK in frame: 136]
[ltosolini@nlws481253 SpeedTest]$
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Mon Apr 06 2009 - 06:44:05 ART