Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: out of port numbers

From: Sake Blok <sake () euronet nl>
Date: Thu, 1 Sep 2011 09:36:59 +0200
On 1 sep 2011, at 07:01, Andrej van der Zee wrote:


I am seeings a lot of port-reuses in the tcpdumps. The tcpdump was
captured on a Debian master that runs multiple Debian guests (Linux
VServer). Among others, it runs a proxy and application server that
setup a new connection for each HTTP request that is being served.


On this Linux VServer, I am seeing 20.401 reused ports (filter
tcp.analysis.reused_ports in Wireshark) in a 429 second tcpdump
sample. Is this value not extremely high?

I had some more time to look at this "issue" and I was hoping somebody could advise me. In the tcpdump I find many 
reset connections before the 3way handshake is even finished, for example:

clt -> srv: 17:00:04.100996 SYN [Port number resused] seq=0
clt -> srv: 17:00:04.103999 SYN seq=0
srv -> clt: 17:00:04.104033 SYN + ACK seq=0, ack=1
clt -> srv: 17:00:04.109510 RST seq=1

Under what conditions would the client reset the connection within such a short timespan (< 10 millisecond)? 


Devices that monitor the availability of services usually terminate the session before the 3WHS is complete. This way, 
the probe connection only disturbs the TCP stack and not the application on the port. On loadbalancers this is often 
called a "tcp-half-open" healthcheck. Since your capture also shows "Port number reused", it could be that the 
monitoring of the service is done from the same source port each time. IIRC F5 loadbalancers have that habit, but I'm 
not 100% sure.

You can verify this theory by looking at the client-ip of these connections, do they come from a few sources with each 
source making a connection at regular intervals (every 2 or 5 seconds for instance)?

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: