Re: Odd TCP/IP sequence....

From: Rask Ingemann Lambertsen (rask-linux@kampsax.k-net.dk)
Date: Sun Jun 04 2000 - 17:03:52 EST


Den 04-Jun-00 17:55:18 skrev Rogier Wolff fĝlgende om "Odd sequence....":
>Hi,

>I just caught a TCP dump that looks kind of funny to me:

> 1 16:58:19.895993 bwww.ssh > 14dyn184.61101: . 864:864(0) ack 816
> 2 16:58:19.909331 14dyn184.61101 > bwww.ssh: P 816:836(20) ack 784
> 3 16:58:19.915995 bwww.ssh > 14dyn184.61101: P 784:824(40) ack 816
> 4 16:58:19.929933 14dyn184.61101 > bwww.ssh: . 836:836(0) ack 864
> 5 16:58:20.090871 14dyn184.61101 > bwww.ssh: P 836:856(20) ack 864
> 6 16:58:20.136009 bwww.ssh > 14dyn184.61101: P 864:884(20) ack 836
> 7 16:58:20.149553 14dyn184.61101 > bwww.ssh: . 856:856(0) ack 884
> 8 16:58:20.155974 bwww.ssh > 14dyn184.61101: P 884:904(20) ack 836
> 9 16:58:20.169551 14dyn184.61101 > bwww.ssh: . 856:856(0) ack 904
>10 16:58:20.315990 bwww.ssh > 14dyn184.61101: . 904:904(0) ack 856
>11 16:58:20.316002 bwww.ssh > 14dyn184.61101: P 904:924(20) ack 856
>12 16:58:20.329548 14dyn184.61101 > bwww.ssh: . 856:856(0) ack 924
>13 16:58:40.477658 14dyn184.61101 > bwww.ssh: P 856:876(20) ack 924
>14 16:58:40.744978 bwww.ssh > 14dyn184.61101: . 1696:1696(0) ack 876
>15 16:59:19.536500 14dyn184.61101 > bwww.ssh: P 876:896(20) ack 924
>16 16:59:19.803107 bwww.ssh > 14dyn184.61101: . 1696:1696(0) ack 896

>(all packets had win 32120 (DF) [tos 0x10], which is not show above).

>If I'm not mistaken, packet 4, is the one that messes things up:
>it acknowledges 40 bytes it hasn't recieved.

   No, packet 3 is a retransmission of bytes 784:824. If you look at packet
1, you will see that bytes 824:864 had already been transmitted from bwww.
Packet 2 tells you (and bwww) that bytes 784:824 had not been received by
14dyn184. Thus they were retransmittet in packet 3. In packet 4, 14dyn184
tells bwww that it has now received all bytes upto (but not including)
byte 864.

Regards,

/ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻTŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ\
| Rask Ingemann Lambertsen | E-mail: mailto:rask@kampsax.dtu.dk |
| Please do NOT Cc: to me or the | WWW: http://www.gbar.dtu.dk/~c948374/ |
| mailing list. I am on the list.| "ThrustMe" on XPilot, ARCnet and IRC |
| Encryption: Encoding technique used in Computer Manuals. |

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu



This archive was generated by hypermail 2b29 : Wed Jun 07 2000 - 21:00:33 EST