First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

10.5.220.26 is a LOAD Balancer. And as per usual practice we get our server 10.5.207.199 added under LB ip 10.5.220.26 under port 51006 and 44006. It is observed that traffic is coming from source ip 10.5.220.26 and destination port is 44006 in tcp header. But there is a entry in http header showing Host:10.5.220.26:51006 which means 10.5.220.26 is talking to 10.5.207.199 at port 51006. So why the source port in tcp packet is displayed as 44006. Also in my server when i do netstat and try to see connections with port 51006 i cannot see any connections. For source ip 10.5.220.26 and destination port 44006 in tcp header there is entry Host:10.5.220.26:44006 in http header which is fine as it means destination port is 44006 and same is displayed in http header. When my server 10.5.207.199 is added under port 44006 the connections are say X in netstat and when i get it added under 51006 also the number of connnection in netstat under 44006 gets increased to X Y. But no connection is shown under port 51006. Why? Tcpdump rar file link https://drive.google.com/file/d/0B3Vn...

updated 2017-10-31 07:06:11 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

Post your capture file on a public sharing site, e.g. [Cloudshark](https://cloudshark.org), Google Drive, DropBox etc.

grahamb's avatar grahamb (2017-10-31 08:39:33 +0000) edit
more
  • delete

I tried uploading it on cloudshark. size was more so i zipped it but then after uploading it does not reccognize rar file. So now i have uploaded on google drive. Here is the link --> https://drive.google.com/file/d/0B3VnP3xmwL5pUEJiTG9XUWtVNk9IM1Z4SWtnblZRd3Fadktn/view?usp=sharing Please check.

harpreet's avatar harpreet (2017-10-31 13:04:30 +0000) edit
more
  • delete

Wireshark just decodes and presents in human-readable form what it has found in the data. So when looking e.g. at packet 65, you can see also in its hex dump that the TCP source port (two bytes at offset 0x24 of the frame) is 56817 (=0xddf1) and that the http Host header contains ":51006".

sindy's avatar sindy (2017-10-31 13:19:45 +0000) edit
more
  • delete

So none of the two values is made up by Wireshark. Therefore, you cannot see any connections from port 51006 of the LB as it really establishes them from 56817. Unfortunately, Wireshark can not tell you **why** this happens, only **that** this happens.

sindy's avatar sindy (2017-10-31 13:22:46 +0000) edit
more
  • delete

My query is why there is destination port mismatch in tcp and http header. It is observed that traffic is coming from source ip 10.5.220.26 and destination port is 44006 in tcp header. But there is a entry in http header showing Host:10.5.220.26:51006 which means 10.5.220.26 is talking to 10.5.207.199 at port 51006.

harpreet's avatar harpreet (2017-10-31 13:27:22 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Remember that the Host header is inserted by the CLIENT, so it reflects the server/port the client is attempting to reach.

Most load balancers CAN modify the Host header, but they must usually be configured to do so.

At first glance, your description suggests that the load balancer is accepting conversations on tcp/44006 and tcp/51006, and is NOT modifying the Host header...but only forwarding them to tcp/44006 on the destination system.

So, the conflict you see occurs because the (unmodified Host) header from the original request doesn't reflect the action(s) of the load balancer.

I think you need to talk with your load balancer team and review its configuration for your service. You probably need a load balancer rule that basically says, "forward this conversation to the destination on the port specified in the Host header." That rule can be probably be implemented without modifying the Host header...and you don't want to add work to that device unless absolutely necessary.

wesmorgan1's avatar
413
wesmorgan1
answered 2018-07-30 00:05:34 +0000, updated 2018-07-30 00:10:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer