Wireshark mailing list archives
Bad TCP - Why ?
From: Steve Smith <smithzsteve () googlemail com>
Date: Thu, 18 Feb 2010 09:06:04 +0000
Hello Folks Can anyone tell me why Wireshark decides these TCP keep-alives are bad ? It's not the checksum. Any help would be much appreciated. Below is an export of packets 28-31 Thanks for any assistance. No. Time Source Destination Protocol Info 28 52.431700 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0 Frame 28 (60 bytes on wire, 60 bytes captured) Arrival Time: Feb 15, 2010 17:25:45.717539000 [Time delta from previous captured frame: 7.198603000 seconds] [Time delta from previous displayed frame: 7.198603000 seconds] [Time since reference or first frame: 52.431700000 seconds] Frame Number: 28 Frame Length: 60 bytes Capture Length: 60 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags] Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: FFFFFFFFFFFF Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00) 0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0x0565 (1381) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 60 Protocol: TCP (0x06) Header checksum: 0x82f3 [correct] [Good: True] [Bad : False] Source: 10.160.104.6 (10.160.104.6) Destination: 10.160.120.202 (10.160.120.202) Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0 Source port: 1124 (1124) Destination port: 4000 (4000) [Stream index: 0] Sequence number: 454 (relative sequence number) Acknowledgement number: 93 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgement: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 3072 Checksum: 0x94af [correct] [Good Checksum: True] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 27] [The RTT to ACK the segment was: 7.198603000 seconds] [TCP Analysis Flags] [This is a TCP keep-alive segment] [Expert Info (Note/Sequence): Keep-Alive] [Message: Keep-Alive] [Severity level: Note] [Group: Sequence] No. Time Source Destination Protocol Info 29 52.468294 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0 Frame 29 (60 bytes on wire, 60 bytes captured) Arrival Time: Feb 15, 2010 17:25:45.754133000 [Time delta from previous captured frame: 0.036594000 seconds] [Time delta from previous displayed frame: 0.036594000 seconds] [Time since reference or first frame: 52.468294000 seconds] Frame Number: 29 Frame Length: 60 bytes Capture Length: 60 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags] Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00) 0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xec02 (60418) Flags: 0x02 (Don't Fragment) 0.. = Reserved bit: Not Set .1. = Don't fragment: Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 61 Protocol: TCP (0x06) Header checksum: 0x5b55 [correct] [Good: True] [Bad : False] Source: 10.160.120.202 (10.160.120.202) Destination: 10.160.104.6 (10.160.104.6) Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0 Source port: 4000 (4000) Destination port: 1124 (1124) [Stream index: 0] Sequence number: 93 (relative sequence number) Acknowledgement number: 455 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgement: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 8192 Checksum: 0x80ae [correct] [Good Checksum: True] [Bad Checksum: False] [SEQ/ACK analysis] [TCP Analysis Flags] [This is an ACK to a TCP keep-alive segment] [Expert Info (Note/Sequence): Keep-Alive ACK] [Message: Keep-Alive ACK] [Severity level: Note] [Group: Sequence] No. Time Source Destination Protocol Info 30 59.931091 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0 Frame 30 (60 bytes on wire, 60 bytes captured) Arrival Time: Feb 15, 2010 17:25:53.216930000 [Time delta from previous captured frame: 7.462797000 seconds] [Time delta from previous displayed frame: 7.462797000 seconds] [Time since reference or first frame: 59.931091000 seconds] Frame Number: 30 Frame Length: 60 bytes Capture Length: 60 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags] Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: FFFFFFFFFFFF Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00) 0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xf3b3 (62387) Flags: 0x00 0.. = Reserved bit: Not Set .0. = Don't fragment: Not Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 60 Protocol: TCP (0x06) Header checksum: 0x94a4 [correct] [Good: True] [Bad : False] Source: 10.160.104.6 (10.160.104.6) Destination: 10.160.120.202 (10.160.120.202) Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0 Source port: 1124 (1124) Destination port: 4000 (4000) [Stream index: 0] Sequence number: 454 (relative sequence number) Acknowledgement number: 93 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgement: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 3072 Checksum: 0x94af [correct] [Good Checksum: True] [Bad Checksum: False] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 29] [The RTT to ACK the segment was: 7.462797000 seconds] [TCP Analysis Flags] [This is a TCP keep-alive segment] [Expert Info (Note/Sequence): Keep-Alive] [Message: Keep-Alive] [Severity level: Note] [Group: Sequence] No. Time Source Destination Protocol Info 31 59.939739 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0 Frame 31 (60 bytes on wire, 60 bytes captured) Arrival Time: Feb 15, 2010 17:25:53.225578000 [Time delta from previous captured frame: 0.008648000 seconds] [Time delta from previous displayed frame: 0.008648000 seconds] [Time since reference or first frame: 59.939739000 seconds] Frame Number: 31 Frame Length: 60 bytes Capture Length: 60 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] [Coloring Rule Name: Bad TCP] [Coloring Rule String: tcp.analysis.flags] Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8) Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Trailer: 000000000000 Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00) 0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 40 Identification: 0xec04 (60420) Flags: 0x02 (Don't Fragment) 0.. = Reserved bit: Not Set .1. = Don't fragment: Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 61 Protocol: TCP (0x06) Header checksum: 0x5b53 [correct] [Good: True] [Bad : False] Source: 10.160.120.202 (10.160.120.202) Destination: 10.160.104.6 (10.160.104.6) Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0 Source port: 4000 (4000) Destination port: 1124 (1124) [Stream index: 0] Sequence number: 93 (relative sequence number) Acknowledgement number: 455 (relative ack number) Header length: 20 bytes Flags: 0x10 (ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgement: Set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 8192 Checksum: 0x80ae [correct] [Good Checksum: True] [Bad Checksum: False] [SEQ/ACK analysis] [TCP Analysis Flags] [This is an ACK to a TCP keep-alive segment] [Expert Info (Note/Sequence): Keep-Alive ACK] [Message: Keep-Alive ACK] [Severity level: Note] [Group: Sequence]
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Bad TCP - Why ? Steve Smith (Feb 18)
- Re: Bad TCP - Why ? Forthofer Russ (Feb 18)
- Re: Bad TCP - Why ? Guy Harris (Feb 18)
- Re: Bad TCP - Why ? Wes (Feb 18)
- Re: Bad TCP - Why ? Forthofer Russ (Feb 18)