Interesting Traces - firewall reset

Blue Bar separator

This trace (taken with packet_monitor on a Stratus VOS operating system) shows a connection between two hosts on different networks with a firewall in the middle. The connection is established then idle long enough (2 hours) for a TCP keep alive packet to be sent by the local (host doing the trace) system. The firewall has already purged its state information and sends back a reset. There are a couple of clues that show that it is the firewall responding and not the remote first.
  1. The TTL in packet 1 which comes from the remote host doesn't match the TTL on the reset packet (packet 5). While it is possible that the TTL will vary by 1 or 2 if packets take different routes, it is not reasonable for it to vary by 30 (0x3a-0x1c)
  2. The ID value on the reset packet is the same as the ID value of the preceeding packet from the local host. There is a small probabily that a packet from the remote host will have the same ID value as the precceding packet from the local host, but I wouldn't want to make book on it.
  3. The window size of the reset packet also matches the window size of the preceeding packet, which is different from the window size of packet 2, the other packet on this connection that we have received.
  4. Packet 4 is a TCP-keep alive packet, the 2 hour gap between packets 3 and 4 and the fact that the sequence number in packet 4 is 1 less than the next expected sequence number tells me this. The reset packet's acknowledgement number is the same as the sequence number for packet 4, but that byte has already been acknowledged in packet 3.
I suspect that the firewall just used the same packet to send the reset, reversing the MAC, IP and port values as well as the sequence and ACK numbers
	** Packet 1 **
	19:22:13.715 Xmit IP   Ver/HL 45, ToS  0, Len   2c, ID 115f, Flg/Frg    0, TTL 1e,  Prtl  6
	          Cksum  e146, Src ac1ef068, Dst 0a7d0323
	TCP from 172.30.240.104.1562 to 10.125.3.35.3020
	    seq  8733ca01, ack     n.a., window 2ccc, 4. data bytes, flags Syn.
	    X/Off 06, Flags 02, Cksum f3e4,  Urg-> 0000
	     offset 0  .  .  .  4  .  .  .   8  .  .  .  C  .  .  .  0...4... 8...C...
	      0     2  4  5 b4                                       ..._

	** Packet 2 **
	19:22:13.787 Rcvd IP   Ver/HL 45, ToS  0, Len   2c, ID b433, Flg/Frg 4000, TTL 3a,  Prtl  6
	          Cksum  e271, Src 0a7d0323, Dst ac1ef068
	TCP from 10.125.3.35.30207 to 172.30.240.104.1562
	    seq  4a474001, ack 8733ca02, window ffff, 4. data bytes, flags Syn Ack.
	    X/Off 06, Flags 12, Cksum 96a7,  Urg-> 0000
	     offset 0  .  .  .  4  .  .  .   8  .  .  .  C  .  .  .  0...4... 8...C...
	      0     2  4  5 64                                       ...d

	** Packet 3 **
	19:22:13.787 Xmit IP   Ver/HL 45, ToS  0, Len   28, ID 1198, Flg/Frg    0, TTL 1e,  Prtl  6
	          Cksum  e111, Src ac1ef068, Dst 0a7d0323
	TCP from 172.30.240.104.1562 to 10.125.3.35.30207
	    seq  8733ca02, ack 4a474002, window 2ccc, 0. data bytes, flags Ack.
	    X/Off 05, Flags 10, Cksum 8148,  Urg-> 0000
	No tcp data.

	** Packet 4 **
	21:22:07.783 Xmit IP   Ver/HL 45, ToS  0, Len   28, ID fc6a, Flg/Frg    0, TTL 1e,  Prtl  6
	          Cksum  f63e, Src ac1ef068, Dst 0a7d0323
	TCP from 172.30.240.104.1562 to 10.125.3.35.30207
	    seq  8733ca01, ack 4a474002, window 2ccc, 0. data bytes, flags Ack.
	    X/Off 05, Flags 10, Cksum 8149,  Urg-> 0000
	No tcp data.

	** Packet 5 **
	21:22:07.785 Rcvd IP   Ver/HL 45, ToS  0, Len   28, ID fc6a, Flg/Frg    0, TTL 1c,  Prtl  6
	          Cksum  f83e, Src 0a7d0323, Dst ac1ef068
	TCP from 10.125.3.35.30207 to 172.30.240.104.1562
	    seq  4a474002, ack 8733ca01, window 2ccc, 0. data bytes, flags Rst Ack.
	    X/Off 05, Flags 14, Cksum 8145,  Urg-> 0000
	No tcp data.



Blue Bar separator
This page was last modified on 03-06-05
mailbox Send comments and suggestions
to ndav1@cox.net