Re: tcpdump

[Guy Harris <guy () alum mit edu>]

On Jun 18, 2010, at 5:53 PM, Kaushal Shriyan wrote:

> root@host0130:~# tcpdump -r tcpdump
> reading from file tcpdump, link-type EN10MB (Ethernet)
> 13:51:20.256698 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052530663 0,nop,wscale 7>
> 13:51:23.254569 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052530963 0,nop,wscale 7>
> 13:51:29.254568 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052531563 0,nop,wscale 7>
> 13:51:41.254565 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052532763 0,nop,wscale 7>
> 13:52:05.254567 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052535163 0,nop,wscale 7>

Those appear to be repeated retransmissions of the same TCP segment.

> 13:52:35.633372 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 933727155:933727155(0) win 0

That appears to be a RST sent by AES-Static-IP.airtel.in - it doesn't seem to think the connection between 
host0130.example.com, port 36825, and AES-Static-IP.airtel.in, port 80, exists, even though host0130.example.com does 
think it exists, as it's sending a TCP segment for that connection.

> 13:52:53.254571 IP host0130.example.com.36825 > AES-Static-IP.airtel.in.www: S 2400127911:2400127911(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052539963 0,nop,wscale 7>

host0130.example.com doesn't appear to have understood that AES-Static-IP.airtel is saying "that connection doesn't 
exist", as it persists in trying to send that TCP segment...

> 13:53:23.464374 IP AES-Static-IP.airtel.in.www > host0130.example.com.36825: R 458396600:458396600(0) win 0

...so AES-Static-IP.airtel.in tries again...

> 13:54:05.420054 IP host0130.example.com.35821 > AES-Static-IP.airtel.in.www: S 714058707:714058707(0) win 5840 <mss 
> 1460,sackOK,timestamp 2052547179 0,nop,wscale 7>

...to no avail.

I don't know what link you're capturing on, but if you're not capturing on a link to which host0130 is directly 
connected or to which AES-Static-IP.airtel.in is directly connected, I suspect that the traffic from host0130 to 
AES-Static-IP.airtel.in is getting dropped by some host further along the route (so that the TCP segments it's sending 
aren't being seen by AES-Static-IP.airtel.in and thus not acked) and that the traffic from AES-Static-IP.airtel.in to 
host0130 is getting lost by some host further along the route (so that the RSTs it's sending aren't being seen by 
host0130).
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe