Context -
I am making a request from source(IP - x) to target (IP - y)
curl y
intercepting it in wireshark -
x -> y [SYN] , sync request to target
y -> x [SYN, ACK] , target acknowledges client's sync request and also makes a sync request to client, because it also needs to communicate to client
x -> y [ACK] , client acknowledges target's sync request
x -> y HTTP GET [PSH, ACK], client makes HTTP GET request (why send ACK?)
y -> x [ACK] , target acknowledges client's request
y -> x [PSH, ACK] , target pushes the content (and acknowldges previous ACK? which one?)
y -> x HTTP 302 FOUND [FIN, ACK] , target send FIN to finalize and ACK
x -> y [ACK] , client acknowledges target's FIN
x -> y [ACK] , client acknowledges previous ACK? which one?
x -> y [FIN, ACK] , client sends FIN to finalize communication with target and send additional ACK
y -> x [ACK] , server acknowledges client's FIN
I have posted my question with each tcp request/response.
Can someone please explain what those extra ACKs are for?
As Steffen pointed out in comments, Even after handshake, It is recommended that ACK is sent with each packet from client/server.
Related
I am using a simulator. in this simulator when a client sends a tcp syn request to a server and server responds it with RST packet (when the requesting port is close) the same client sends tcp syn retransmission to the same server (and the same port) for four times. i want to know real networks do the same? i mean in real networks if a client sends a tcp syn to a server and recieve RST , do that client sends tcp syn retransmission to that server for four times?
It totally depends on the client implementation. If you program a client to respond to a server's RST with a SYN 4 times, then that's what it will do. It might be that the server is sending an RST because it's detecting a SYN flood (if you keep on sending SYNs unsuccessfully, eventually heuristics will class it as such).
You may want to play with Scapy so you can easily write the client for these kinds of questions.
My testing environment
client
IP 192.168.0.2/24
gateway 192.168.0.1
server
IP 192.168.0.1/24
http service run on port 80
When I try getting web page hosted on server, everything goes fine.
Then I write a kernel module using netfilter on server, which will change dest IP to 192.168.0.1 if the origin dest IP is 192.168.1.1, and will change source IP to 192.168.1.1 if origin source IP is 192.168.0.1. I think you can understand that I'm just pretending the server to be 192.168.1.1 for the client.(IP header Checksum and TCP Checksum are changed properly)
I use the web browser(chrome, firefox...) on client to visit 192.168.1.1 and capture the packets on the client, results are like:
192.168.0.2:someport_1 -> 192.168.1.1:80 [SYN]
192.168.1.1:80 -> 192.168.0.2:someport_1 [SYN, ACK]
192.168.0.2:someport_2 -> 192.168.1.1:80 [SYN]
192.168.1.1:80 -> 192.168.0.2:someport_2 [SYN, ACK]
192.168.0.2:someport_3 -> 192.168.1.1:80 [SYN]
192.168.1.1:80 -> 192.168.0.2:someport_3 [SYN, ACK]
I don't know why the client will never send the last ACK of TCP handshaking, any ideas?
Edit1:
Now I think that the browser didn't get the [SYN, ACK] packet from the server although wireshark can see it, so maybe it's because that the OS(Windows7) dropped the [SYN, ACK] packet from the server. Now the question becomes that why would windows drop a correct [SYN, ACK] packet?
You said the IP checksum is OK, but what about the TCP checksum, which is computed from a pseudo-header which includes source and destination IP ?
I've made three mistakes.
The first one is that skb can be nonlinear, which will cause the checksum got from csum_partial() be incorrect.
The second one is that I use csum_tcpudp_magic() to get the checksum, but forgot to change skb->ip_summed, so the NIC will use my correct checksum as the partial checksum of tcp pseudo-header to recalculate the checksum, leading checksum incorrect in the packet.
The third mistake is that my wireshark seems to be set to ignore the tcp checksum, and it always shows the packets with wrong checksum as good ones, while tcpdump will tell me incorrect checksums.
Please help me decode the following. I have a problem in the network, unable to figure out where it is. Follow is the decode summary we got from the capture by running the OPNET software.
I think Connection 2 is successful, where the client ends with FIN, and connection 1 ends prematurely issuing RST, what could be the reasons..?
Connection 1
Frame Source Destination Decode Summary
480 Server Client D=3590 S=443 FIN ACK=3832271994 SEQ=1338775336 LEN=0 WIN=11088
481 Client Server D=443 S=3590 ACK=1338775337 SEQ=3832271994 LEN=0 WIN=64512
502 Client Server D=443 S=3590 RST ACK=1338775337 SEQ=3832271994 LEN=0 WIN=0
Connection 2
855 Server Client D=3600 S=443 FIN ACK=3778329063 SEQ=3650187663 LEN=0 WIN=26328
856 Client Server D=443 S=3600 ACK=3650187664 SEQ=3778329063 LEN=0 WIN=63297
857 Client Server D=443 S=3600 FIN ACK=3650187664 SEQ=3778329063 LEN=0 WIN=63297
859 Server Client D=3600 S=443 ACK=3778329064 SEQ=3650187664 LEN=0 WIN=26328
In summary the connection endings are,
1 - Server: FIN, Client: RST
2 - Server: FIN, Client: FIN
From the Wikipedia page on TCP:
Some host TCP stacks may implement a half-duplex close sequence, as Linux or HP-UX do. If such a host actively closes a connection but still has not read all the incoming data the stack already received from the link, this host sends a RST instead of a FIN (Section 4.2.2.13 in RFC 1122).
Could it be something like this you are seeing?
I am trying to connect to an http server via IPv6 link-local address from Windows xp sp3 with firefox 6.
Although connecting by IPv4 address of serve worked well, IPv6 failed with connection failed error.
By Wireshark, the sequence is observed as:
direction protocol port transmission
1. client -> server: tcp 1061-> 80 [syn]
2. server -> client: tcp 80->1061 [syn, ack]
3. client -> server: tcp 1061->80 [ack]
4. client -> server: http [get /]
5. server -> client: http [200 OK]
In the 5th transmission, requested html file is included.
But the browser shows connection failed.
It seems tcp layer received the messages and cannot deliver it to http layer or browser.
I disabled firewall, and the result is the same.
Can someone give a clue or hint to pursue.
Thank you.
I suspect that it's not the whole response in packet 5.
Usually problems like this are caused by broken Path MTU Discovery. If there is a tunnel in the path then the MTU is probably smaller than 1500 bytes, i.e. 1480 bytes. All the packes that are smaller than 1480 bytes get through. When the server sends a 1500 byte packet it will be too big for the tunnel. The tunnel router sends back a Packet-too-big ICMP error, and the server sends the data in 1480-byte chunks. If the ICMP error is never generated or a firewall blocks the ICMP packet then the server never learns that it should send smaller packets, it keeps sending large packets, and they never arrive...
Most of the time such problems are caused by misconfiured firewalls. Sometimes it's broken hardware or software.
I have an application that is sending web requests and after some variable period of time we start getting connection timeout errors. Analysis of the TCP/IP packets reveals the following occurring for each connection attempted:
No. Time Source Destination Protocol Info
98635 2011-04-21 10:13:47.192237 172.22.3.250 172.22.3.100 TCP [TCP Port numbers reused] httpx > http-alt [SYN] Seq=0 Win=65535 Len=0 MSS=1460
98639 2011-04-21 10:13:47.192397 172.22.3.100 172.22.3.250 TCP http-alt > httpx [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
98641 2011-04-21 10:13:47.192425 172.22.3.250 172.22.3.100 TCP httpx > http-alt [ACK] Seq=1 Ack=1 Win=65535 Len=0
98646 2011-04-21 10:13:47.192502 172.22.3.250 172.22.3.100 TCP httpx > http-alt [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
Once this happens the client machine must be rebooted to fix the issue. Restarting the client or server application, or rebooting the server have no effect. Comparison of the packet details between working and non-working messages reveal no differences for flags, etc.
Thank you,
Neil
TCP Port numbers reused is a clue. It might be your client is re-using the port numbers of the old connection which is supposed to be closed.
Does your client bind to a static source port? If yes it might be that the clients operating system is rejecting the packets from the server because it thinks they belong to an old connection. The OS is rejecting the packets, that's why only a client reboot solves the problem. (Alternatively try waiting a couple of minutes).
When opening the connection on the client, don't assign a source port.