[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help to interpret 9 Wireshark frames

Posted on 2014-08-26
5
Medium Priority
?
209 Views
Last Modified: 2015-10-05
Below is a short 9 frame Wireshark capture between 2 servers separated by a firewall.  Capture has been exported to the text list shown below.  I need to understand what is being said.  IP's have been sanitized.

This came about due to this error message being displayed by the web application:
"No connection could be made because the target machine actively refused it 198.15.29.151:12801"

Question 1:
Does this conversation prove the firewall is not blocking the communication?

Question 2:
What does this conversation mean?



No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 1 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f17 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      2 0.000004    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 2 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5017 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      3 0.000051    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8

Frame 3 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afc (15100)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5017 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x81fb [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 1]
        [The RTT to ACK the segment was: 0.000051000 seconds]

No.     Time        Source                Destination           Protocol Info
      4 0.506114    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 4 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f16 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 3]
        [The RTT to ACK the segment was: 0.506063000 seconds]

No.     Time        Source                Destination           Protocol Info
      5 0.506162    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8

Frame 5 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 32 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x820e [correct]
    Options: (12 bytes)

No.     Time        Source                Destination           Protocol Info
      6 0.506497    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8

Frame 6 (66 bytes on wire, 66 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 52
    Identification: 0x3afd (15101)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 32 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x81fb [correct]
    Options: (12 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 4]
        [The RTT to ACK the segment was: 0.000383000 seconds]

No.     Time        Source                Destination           Protocol Info
      7 1.022012    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460

Frame 7 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Vmware_9c:00:16 (00:50:56:9c:00:16), Dst: Cisco_24:08:00 (00:19:a9:24:08:00)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x4f16 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x961d [correct]
    Options: (8 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 6]
        [The RTT to ACK the segment was: 0.515515000 seconds]

No.     Time        Source                Destination           Protocol Info
      8 1.022016    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460

Frame 8 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Cisco_24:08:00 (00:19:a9:24:08:00), Dst: Cisco_38:a5:57 (00:0a:8a:38:a5:57)
Internet Protocol, Src: 10.10.120.146 (10.10.120.146), Dst: 198.15.29.131 (198.15.29.131)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 10.10.120.146 (10.10.120.146)
    Destination: 198.15.29.131 (198.15.29.131)
Transmission Control Protocol, Src Port: 7971 (7971), Dst Port: 12801 (12801), Seq: 0, Len: 0
    Source port: 7971 (7971)
    Destination port: 12801 (12801)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 8192
    Checksum: 0x961d [correct]
    Options: (8 bytes)

No.     Time        Source                Destination           Protocol Info
      9 1.022070    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460

Frame 9 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Cisco_38:a5:57 (00:0a:8a:38:a5:57), Dst: Vmware_9c:00:16 (00:50:56:9c:00:16)
Internet Protocol, Src: 198.15.29.131 (198.15.29.131), Dst: 10.10.120.146 (10.10.120.146)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x3b01 (15105)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0x5016 [correct]
    Source: 198.15.29.131 (198.15.29.131)
    Destination: 10.10.120.146 (10.10.120.146)
Transmission Control Protocol, Src Port: 12801 (12801), Dst Port: 7971 (7971), Seq: 1, Ack: 1, Len: 0
    Source port: 12801 (12801)
    Destination port: 7971 (7971)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x14 (RST, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .1.. = Reset: Set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 2097152 (scaled)
    Checksum: 0x960a [correct]
    Options: (8 bytes)
    [SEQ/ACK analysis]
        [This is an ACK to the segment in frame: 7]
        [The RTT to ACK the segment was: 0.000058000 seconds]
0
Comment
Question by:dalva
  • 3
5 Comments
 
LVL 5

Assisted Solution

by:SemperPhi
SemperPhi earned 1000 total points
ID: 40285974
TCP 3 way handshake not being completed. resulting in tcp reset.  possible authentication error (best guess)
0
 
LVL 1

Author Comment

by:dalva
ID: 40286009
Any clues as to why handshake not being completed?
0
 
LVL 1

Author Comment

by:dalva
ID: 40286019
Do you mean authentication between the servers?  Can we rule out the firewall as being a suspect?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 1000 total points
ID: 40286246
All we need is this:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      2 0.000004    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      3 0.000051    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8
      4 0.506114    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      5 0.506162    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=8
      6 0.506497    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460 WS=8
      7 1.022012    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460
      8 1.022016    10.10.120.146         198.15.29.131         TCP      7971 > 12801 [SYN] Seq=0 Win=8192 Len=0 MSS=1460
      9 1.022070    198.15.29.131         10.10.120.146         TCP      12801 > 7971 [RST, ACK] Seq=1 Ack=1 Win=2097152 Len=0 MSS=1460

10.10.120.146 is sending the SYN and there is no response shown coming back.
198.15.29.131 is sending a RST, which indicates that it did receive the SYN and sent a SYN,ACK.

Since we never see the SYN,ACK coming from 198.15.29.131, we can only assume that for some reason something is blocking/dropping that.  Which is strange because it is allowing the RST through.

If possible you may want to do a packet capture from 198.15.29.131, but I would check all firewalls between the two hosts.
0
 
LVL 1

Author Comment

by:dalva
ID: 40298598
Working on doing packet captures from both sides of firewall.  Will post results later this week.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question