Re: out of port numbers

[Andrej van der Zee <andrejvanderzee () gmail com>]

> Devices that monitor the availability of services usually terminate the
> session before the 3WHS is complete. This way, the probe connection only
> disturbs the TCP stack and not the application on the port. On loadbalancers
> this is often called a "tcp-half-open" healthcheck.

Thanks I am learning!


> Since your capture also shows "Port number reused", it could be that the
> monitoring of the service is done from the same source port each time. IIRC
> F5 loadbalancers have that habit, but I'm not 100% sure.

About 40 connections per second are being established between the client (an
HTTP proxy server) and the web server, of which roughly 15% is reset before
the 3way handshake finishes. Note that there are more web servers that this
proxy server connects to, so I guess 40 connections may be multiplied by
some factor from the proxies point of view. The web servers do not implement
keep-alive "for technical reasons" explaining the many connections.

I am trying to find out if this high number of connections causes a
bottleneck. Or is it not that high as I believe?



> You can verify this theory by looking at the client-ip of these
> connections, do they come from a few sources with each source making a
> connection at regular intervals (every 2 or 5 seconds for instance)?


The tcpdump I was referring to has only one IP-level conversation in it (the
proxy and one web server). This resetting of connections comes at irregular
intervals (roughly: average = 4 times, min = 1, max = 9).


Cheers,
Andrej

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe