Interesting Traces - Firewall Reset #2

This is also a firewall reset issue, although the timing is much faster than the default 2 hours. The thing that is interesting in this trace is that typically when there is a series of retransmitted packets it is the sender that gives up and resets the connection. Here it is the receiver - or at any rate the receiver's IP address.

No.  Time       Source   Destination           Protocol Info
62 *REF*       10.3.6.1   172.5.1.7   1025 > 2000 [P, A] S=8931 A=880 W=13936 L=103
63 0.120148    172.5.1.7   10.3.6.1   2000 > 1025 [P, A] S=880 A=9034 W=48650 L=95
64 0.153481    10.3.6.1   172.5.1.7   1025 > 2000 [P, A] S=9034 A=975 W=13936 L=103
65 0.268738    172.5.1.7   10.3.6.1   2000 > 1025 [A] S=975 A=9137 W=48547 L=0
66 10.047084   10.3.6.1   172.5.1.7   1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
67 10.352306   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103 
68 10.962234   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
69 12.182135   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
70 14.660109   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
71 19.540145   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
72 29.298048   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
73 48.815076   10.3.6.1   172.5.1.7   [TCP Retransmission] 1025 > 2000 [P, A] S=9137 A=975 W=13936 L=103
74 48.815561   172.5.1.7   10.3.6.1   2000 > 1025 [RST, A] S=975 A=9137 W=13936 L=0

How do I know that this is a firewall and not the real 172.5.1.7. The time to live is different, 59 for frames 63 and 65 but 62 for the reset frame (74). Also the IP ID values of 22386 and 22387 in frames 63 and 65 are close but the 50590 in frame 74 is extremely different.

Frame 63 (149 bytes on wire, 149 bytes captured)
Ethernet II, Src: Cisco_AA:BB:CC, Dst: Nec_DD:EE:FF
Internet Protocol, Src: 172.5.1.7 (172.5.1.7), Dst: 10.3.6.1 (10.3.6.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 135
    Identification: 0x5772 (22386)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 59
    Protocol: TCP (0x06)
    Header checksum: 0x0d23 [correct]
    Source: 172.5.1.7 (172.5.1.7)
    Destination: 10.3.6.1 (10.3.6.1)
Transmission Control Protocol, Src Port: 2000, Dst Port: 1025, Seq: 880, Ack: 9034, Len: 95              


Frame 65 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_AA:BB:CC, Dst: Nec_DD:EE:FF
Internet Protocol, Src: 172.5.1.7 (172.5.1.7), Dst: 10.3.6.1 (10.3.6.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x5773 (22387)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 59
    Protocol: TCP (0x06)
    Header checksum: 0x0d81 [correct]
    Source: 172.5.1.7 (172.5.1.7)
    Destination: 10.3.6.1 (10.3.6.1)
Transmission Control Protocol, Src Port: 2000, Dst Port: 1025, Seq: 975, Ack: 9137, Len: 0


Frame 74 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Cisco_AA:BB:CC, Dst: Nec_DD:EE:FF
Internet Protocol, Src: 172.5.1.7 (172.5.1.7), Dst: 10.3.6.1 (10.3.6.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0xc59e (50590)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 62
    Time to live: 62
    Protocol: TCP (0x06)
    Header checksum: 0xdc55 [correct]
    Source: 172.5.1.7 (172.5.1.7)
    Destination: 10.3.6.1 (10.3.6.1)
Transmission Control Protocol, Src Port: 2000, Dst Port: 1025, Seq: 975, Ack: 9137, Len: 0

This page was last modified on 08-02-14

Send comments and suggestions
to ndav1@cox.net