Interesting Traces - FTP aware NAT can't count

The following is a slightly modified packet_monitor (Stratus VOS) trace showing an ftp control session. Note that in packet 1 24 bytes are transmitted to the ftp control port from port 14746 (the transmitter is the system that the trace was taken on). The sequence number is 13f0c734. The ACK which is sent back is also for sequence number 13f0c734. The transmitter retransmits and gets an ACK back again for the packet. This pattern went on for several days before the process was terminated.

On the face of things it looks like the packet is being dropped or corrupted but if that is the case what is triggering the ACK to be sent back. So is the ftp server (also VOS) broken and just repeatedly ACKing the same byte?

11:45:45.208 Xmit IP   Ver/HL 45, ToS  0, Len   40, ID eb8a, Flg/Frg    0, TTL 3c,  Prtl  6
          Cksum  3ffc, Src 0a410128, Dst 0ac83d01
TCP from 10.65.1.40.14746 to 10.200.61.1.ftp
    seq  13f0c734, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


11:45:45.424 Rcvd IP   Ver/HL 45, ToS  0, Len   28, ID bc51, Flg/Frg    0, TTL 3d,  Prtl  6
          Cksum  6e4d, Src 0ac83d01, Dst 0a410128
TCP from 10.200.61.1.ftp to 10.65.1.40.14746
    seq  3622cec2, ack 13f0c734, window 2ccc, 0. data bytes, flags Ack.


11:45:46.148 Xmit IP   Ver/HL 45, ToS  0, Len   40, ID ebcf, Flg/Frg    0, TTL 3c,  Prtl  6
          Cksum  3fb7, Src 0a410128, Dst 0ac83d01
TCP from 10.65.1.40.14746 to 10.200.61.1.ftp
    seq  13f0c734, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


11:45:46.371 Rcvd IP   Ver/HL 45, ToS  0, Len   28, ID bc74, Flg/Frg    0, TTL 3d,  Prtl  6
          Cksum  6e2a, Src 0ac83d01, Dst 0a410128
TCP from 10.200.61.1.ftp to 10.65.1.40.14746
    seq  3622cec2, ack 13f0c734, window 2ccc, 0. data bytes, flags Ack.


11:45:47.087 Xmit IP   Ver/HL 45, ToS  0, Len   40, ID ec37, Flg/Frg    0, TTL 3c,  Prtl  6
          Cksum  3f4f, Src 0a410128, Dst 0ac83d01
TCP from 10.65.1.40.14746 to 10.200.61.1.ftp
    seq  13f0c734, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


11:45:47.298 Rcvd IP   Ver/HL 45, ToS  0, Len   28, ID bd16, Flg/Frg    0, TTL 3d,  Prtl  6
          Cksum  6d88, Src 0ac83d01, Dst 0a410128
TCP from 10.200.61.1.ftp to 10.65.1.40.14746
    seq  3622cec2, ack 13f0c734, window 2ccc, 0. data bytes, flags Ack.
     
               . . . . . . . . . . . . . . . . . . . . .

This trace was taken on the server. Unfortunately the time frame is slightly different but since the pattern repeated for 2 days I don't think it is significant. The first thing you notice is that the IP addresses are different, so obviously the connection is going through at least 1 NAT device. You will also notice that the sequence number from the transmitter is different. This is because FTP aware NAT devices must rewrite the client sequence numbers because the IP addresses embeded in the IP control packets must be changed.

Note that the received sequence number is 3e685899 while the transmited ACK is for sequence number 3e685898. The FTP server appears to be missing a byte, 3e685898 and is repeatedly asking for it while the client just continues to send a packet starting at byte 3e685899. In this case it looks like the client is in error.

14:07:18.240 Rcvd IP   Ver/HL 45, ToS  0, Len   40, ID f452, Flg/Frg    0, TTL 38,  Prtl  6
          Cksum  14e6, Src ac11104b, Dst ac111112
TCP from 172.17.16.75.14746 to 172.17.17.18.ftp
    seq  3e685899, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


14:07:18.240 Xmit IP   Ver/HL 45, ToS  0, Len   28, ID 7ad7, Flg/Frg    0, TTL 40,  Prtl  6
          Cksum  8679, Src ac111112, Dst ac11104b
TCP from 172.17.17.18.ftp to 172.17.16.75.14746
    seq  3622cec2, ack 3e685898, window 2ccc, 0. data bytes, flags Ack.


14:07:19.226 Rcvd IP   Ver/HL 45, ToS  0, Len   40, ID f472, Flg/Frg    0, TTL 38,  Prtl  6
          Cksum  14c6, Src ac11104b, Dst ac111112
TCP from 172.17.16.75.14746 to 172.17.17.18.ftp
    seq  3e685899, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


14:07:19.226 Xmit IP   Ver/HL 45, ToS  0, Len   28, ID 7aed, Flg/Frg    0, TTL 40,  Prtl  6
          Cksum  8663, Src ac111112, Dst ac11104b
TCP from 172.17.17.18.ftp to 172.17.16.75.14746
    seq  3622cec2, ack 3e685898, window 2ccc, 0. data bytes, flags Ack.


14:07:20.205 Rcvd IP   Ver/HL 45, ToS  0, Len   40, ID f4b0, Flg/Frg    0, TTL 38,  Prtl  6
          Cksum  1488, Src ac11104b, Dst ac111112
TCP from 172.17.16.75.14746 to 172.17.17.18.ftp
    seq  3e685899, ack 3622cec2, window 8000, 24. data bytes, flags Push Ack.


14:07:20.205 Xmit IP   Ver/HL 45, ToS  0, Len   28, ID 7b03, Flg/Frg    0, TTL 40,  Prtl  6
          Cksum  864d, Src ac111112, Dst ac11104b
TCP from 172.17.17.18.ftp to 172.17.16.75.14746
    seq  3622cec2, ack 3e685898, window 2ccc, 0. data bytes, flags Ack.

               . . . . . . . . . . . . . . . . . . . . .

In reality the NAT server somehow lost track of a byte so that its translation between the sequence numbers that it receives from the client and sends to the server is off.

This page was last modified on 03-06-05

Send comments and suggestions
to ndav1@cox.net