First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

need help on how to read this capture, Out of Order packets

HI, I’m having trouble interpreting the data below. I know what there is lots of OOO packets I’m having trouble understanding who is getting the packets OOO and who is reporting it.

For example, I see 10.213.18.69 sending t Syn packet 10.213.1.11 and right below I see TCP OOF to source 10.213.18.69. What does this mean that host 10.213.1.11 is reporting it OOO? How is this happening even though it’s the first packet. 

No. Time    Source  Destination Protocol    Length  Sequence number Next sequence number    Acknowledgment number   Info

79  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

80  37.477032   10.213.18.69    10.213.1.11 TCP 66  0   1   0   [TCP Out-Of-Order] 52715 → 389 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1

I also see dups and RST at the end which am assuming it 10.213.1.11 terminated the connection because of the OOO packets. So is 10.213.1.11, the server, reporting all of this? This packet capture was on a cisco router on 10.213.18.69 FYI.

I would appreciate if someone could walk me through this TCP flow and break down what is happening, I understand the concept just not sure how to interpret the wireshark data.

TIA, Paul 

81  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

82  37.492030   10.213.1.11 10.213.18.69    TCP 66  0   1   1   [TCP Out-Of-Order] 389 → 52715 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1360 WS=256 SACK_PERM=1

83  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

84  37.495021   10.213.18.69    10.213.1.11 TCP 54  1   1   1   [TCP Dup ACK 83#1] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=0

85  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360 [TCP segment of a reassembled PDU]

86  37.496028   10.213.18.69    10.213.1.11 TCP 1414    1   1361    1   [TCP Retransmission] 52715 → 389 [ACK] Seq=1 Ack=1 Win=131840 Len=1360

87  37.496028   10.213.18.69    10.213.1.11 LDAP    786 1361    2093    1   bindRequest(7) "<root>" sasl 

88  37.496028   10.213.18.69    10.213.1.11 TCP 786 1361    2093    1   [TCP Retransmission] 52715 → 389 [PSH, ACK] Seq=1361 Ack=1 Win=131840 Len=732

89  37.511027   10.213.1.11 10.213 ...
(more)
da_P's avatar
1
da_P
asked 2021-11-19 20:29:58 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2021-11-19 21:55:19 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Looks like the packet capture is making duplicates of every packet.

Chuckc's avatar Chuckc (2021-11-20 00:31:53 +0000) edit
more
  • delete

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P's avatar da_P (2021-11-22 15:44:40 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

Like @Chuckc said, there's duplicates of every packet. Which is not uncommon when you capture on a monitor port, where both ingress and egress traffic of a switch fabric is captured, for instance. This is where editcap -d comes to shine, allowing you to remove the duplicates

Jaap's avatar
13.7k
Jaap
answered 2021-11-20 06:43:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

thanks, looked at the cap on the cisco router and i was indeed capturing two interfaces which passed the same traffic.

da_P's avatar da_P (2021-11-22 15:44:45 +0000) edit
more
  • delete
add a comment see more comments
0

I was unaware and capturing traffic in/out in multiple interfaces that pass the same traffic and it was creating dups.

da_P's avatar
1
da_P
answered 2021-11-22 15:45:42 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer