Capture output explanation
Hello, I am facing a problem between 2 machines and i installed Wireshark version 3.2.0 to capture the network traffic. While i am able to ping the target machine from the source machine, when i am trying to connect to port 22 i cannot connect. I started a capture while trying to connect to target machine using both telnet and winscp application. It is a short capture but i do not know what is the problem. These are some of the data that i receive in the capture:
Internet Protocol Version 4, Src: source, Dst: target
Transmission Control Protocol, Src Port: 51877, Dst Port: 22, Seq: 0, Len: 0
Source Port: 51877
Destination Port: 22
[Stream index: 1]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Sequence number (raw): 2742951259
[Next sequence number: 1 (relative sequence number)]
Acknowledgment number: 0
Acknowledgment number (raw): 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x0c2 (SYN, ECN, CWR)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 1... .... = Congestion Window Reduced (CWR): Set
.... .1.. .... = ECN-Echo: Set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
.... .... ...0 = Fin: Not set
[TCP Flags: ····CE····S·]
Window size value: 65535
[Calculated window size: 65535]
Checksum: 0x8352 [unverified]
[Checksum Status: Unverified]
Urgent pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
[SEQ/ACK analysis]
[TCP Analysis Flags]
[Expert Info (Note/Sequence): This frame is a (suspected) retransmission]
[The RTO for this segment was: 3.000277000 seconds]
[RTO based on delta from frame: 4]
[Timestamps]
Please advise.
Comments
Hello,
Any other ideas regarding this problem?
Capture this event on both the source and destination machine simultaneously and provide the files through some file sharing service. Also describe the source and designation machine in some detail. Then people can analyse rather than guess what's going on.
Thank you for your reply. I captured the output from both sides. You can find the information of the machines below:
Source: Windows Server 2016 Datacenter which is used as a jump server. Users are connected to this server to access certain services/applications or simply to connect to other servers. Capture sftp2.pcapng was taken on this server.
Target: RedHat Enterprise Linux 8.7 which is used as an sftp server (openssh). Capture dbjs2.pcapng was taken on this server.
Test Description: I tried to telnet port 22 from source server to target server and then to ping target server as well. As you will see from the captures, when i attempt to telnet port 22 no capture is taken on target server. The only capture that is shown on target server is when i tried to ping.
You can use the following url to download files from wetransfer: link text
So from the IP addresses in the capture files it tells me there is another box in between these two servers. The fact that the MAC address of this box is from Fortinet suggests to me a firewall. A firewall typically blocks port 22 access, therefore you get no SYN/ACK back.
Thank you. I will contact the firewall administrator to further investigate the issue.