Need help to interpret 9 Wireshark frames

Below is a short 9 frame Wireshark capture between 2 servers separated by a firewall.  Capture has been exported to the text list shown below.  I need to understand what is being said.  IP's have been sanitized.

This came about due to this error message being displayed by the web application:
"No connection could be made because the target machine actively refused it 198.15.29.151:12801"

Question 1:
Does this conversation prove the firewall is not blocking the communication?

Question 2:
What does this conversation mean?



No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f17 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      2 0.000004    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 2 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5017 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      3 0.000051    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8

Frame 3 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5017 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x81fb [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 1]
        [The RTT to ACK the segment was: 0.000051000 seconds]

No.     Time        Source                Destination           Protocol Info
      4 0.506114    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 4 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f16 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 3]
        [The RTT to ACK the segment was: 0.506063000 seconds]

No.     Time        Source                Destination           Protocol Info
      5 0.506162    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 5 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      6 0.506497    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8

Frame 6 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x81fb [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 4]
        [The RTT to ACK the segment was: 0.000383000 seconds]

No.     Time        Source                Destination           Protocol Info
      7 1.022012    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460

Frame 7 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f16 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x961d [correct]
    Options: (8 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 6]
        [The RTT to ACK the segment was: 0.515515000 seconds]

No.     Time        Source                Destination           Protocol Info
      8 1.022016    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460

Frame 8 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x961d [correct]
    Options: (8 bytes)

No.     Time        Source                Destination           Protocol Info
      9 1.022070    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460

Frame 9 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x960a [correct]
    Options: (8 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 7]
        [The RTT to ACK the segment was: 0.000058000 seconds]
LVL 1
dalvaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Semper PhiSystems IntegratorCommented:
TCP 3 way handshake not being completed. resulting in tcp reset.  possible authentication error (best guess)
0
dalvaAuthor Commented:
Any clues as to why handshake not being completed?
0
dalvaAuthor Commented:
Do you mean authentication between the servers?  Can we rule out the firewall as being a suspect?
0
giltjrCommented:
All we need is this:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      2 0.000004    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      3 0.000051    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8
      4 0.506114    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      5 0.506162    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      6 0.506497    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8
      7 1.022012    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460
      8 1.022016    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460
      9 1.022070    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460

10.10.120.146 is sending the SYN and there is no response shown coming back.
198.15.29.131 is sending a RST, which indicates that it did receive the SYN and sent a SYN,ACK.

Since we never see the SYN,ACK coming from 198.15.29.131, we can only assume that for some reason something is blocking/dropping that.  Which is strange because it is allowing the RST through.

If possible you may want to do a packet capture from 198.15.29.131, but I would check all firewalls between the two hosts.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dalvaAuthor Commented:
Working on doing packet captures from both sides of firewall.  Will post results later this week.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.