First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Sequence numbers for retransmitted packets staying at Zero

  • retag add tags

Clients sends SYN and receives no reply, subsequent retransmissions follow but marked with TCP Port numbers reused message in square brackets by Wireshark. I'm guessing the reuse marking is because sequence numbers did not increment by one for every such retransmission.

If the above is true, and packets don't lie, I was not expecting such b behaviour from the client initiating the request.

ajaznawaz's avatar
1
ajaznawaz
asked 2022-08-12 18:55:09 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-08-12 20:36:04 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What version of Wireshark is being used here? There is current ongoing work in the development branch to improve the TCP analysis output.

As these are retransmissions (due to the server not responding) it's implicit that ports will be reused. Arguably then, there is no need to display the port reused message.

grahamb's avatar grahamb (2022-08-12 20:40:40 +0000) edit
more
  • delete

Version 3.6.7 (v3.6.7-0-g4a304d7ec222)

ajaznawaz's avatar ajaznawaz (2022-08-12 21:49:15 +0000) edit
more
  • delete

Like I stated in my OP this would be true if the expected behaviour in respect to seq numbers, was that they increment n+1 as each packet for any given stream goes out ...

Are you following me, apologies in advance if I am not explaining clearly.

ajaznawaz's avatar ajaznawaz (2022-08-12 21:53:12 +0000) edit
more
  • delete

Why would the sequence number increase for a retransmission? In your capture the server hasn't responded so the client retransmits with the same sequence number.

grahamb's avatar grahamb (2022-08-13 11:58:29 +0000) edit
more
  • delete

I hear you GrahamB but then as you stated earlier this is not expected display by Wireshark. My train of thought was how else could it be avoided. This particular example threw a huge curve ball at us this way.

Let me explain. On the server side we were observing proper 'port reuse' messages where some device along the network path was tampering with Src ports.

Hopefully it can be addressed soon, we say 'Packets don't lie', I shall caveat that by adding 'mostly'

ajaznawaz's avatar ajaznawaz (2022-08-13 12:13:30 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

I may be missing something here. OP is talking both source ports and sequence numbers. I think we all agree the TCP Port Reuse messages are unneeded / wrong. In first (and most) TCP SYN packets, the TCP Segment Lenth is zero (0). The TCP Segment length determines how the sequence number will increment. As you can see in the flow, the client performs an initial SYN, waits 1 second, then 2 seconds, then 4 seconds - as it attempts to connect to the server. The 4th SYN completes. For each of the initial SYN requests, the Sequence number is and will remain 0 - as there is no TCP Payload. As grahamb implies, I believe the TCP Sequence number will only increment as there is a new TCP payload being sent. If the sender is re-sending a TCP payload, the original SEQ number will be used.

DavidB's avatar
1
DavidB
answered 2022-09-14 18:10:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer