Interesting Traces - firewall reset
This trace (taken with packet_monitor on a Stratus VOS operating system) shows a connection between two hosts on different networks with a firewall in the middle. The connection is established then idle long enough (2 hours) for a TCP keep alive packet to be sent by the local (host doing the trace) system. The firewall has already purged its state information and sends back a reset. There are a couple of clues that show that it is the firewall responding and not the remote first.
-
The TTL in packet 1 which comes from the remote host doesn't match the TTL on the reset packet (packet 5). While it is possible that the TTL will vary by 1 or 2 if packets take different routes, it is not reasonable for it to vary by 30 (0x3a-0x1c)
-
The ID value on the reset packet is the same as the ID value of the preceeding packet from the local host. There is a small probabily that a packet from the remote host will have the same ID value as the precceding packet from the local host, but I wouldn't want to make book on it.
-
The window size of the reset packet also matches the window size of the preceeding packet, which is different from the window size of packet 2, the other packet on this connection that we have received.
-
Packet 4 is a TCP-keep alive packet, the 2 hour gap between packets 3 and 4 and the fact that the sequence number in packet 4 is 1 less than the next expected sequence number tells me this. The reset packet's acknowledgement number is the same as the sequence number for packet 4, but that byte has already been acknowledged in packet 3.
I suspect that the firewall just used the same packet to send the reset, reversing the MAC, IP and port values as well as the sequence and ACK numbers
** Packet 1 **
19:22:13.715 Xmit IP Ver/HL 45, ToS 0, Len 2c, ID 115f, Flg/Frg 0, TTL 1e, Prtl 6
Cksum e146, Src ac1ef068, Dst 0a7d0323
TCP from 172.30.240.104.1562 to 10.125.3.35.3020
seq 8733ca01, ack n.a., window 2ccc, 4. data bytes, flags Syn.
X/Off 06, Flags 02, Cksum f3e4, Urg-> 0000
offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C...
0 2 4 5 b4 ..._
** Packet 2 **
19:22:13.787 Rcvd IP Ver/HL 45, ToS 0, Len 2c, ID b433, Flg/Frg 4000, TTL 3a, Prtl 6
Cksum e271, Src 0a7d0323, Dst ac1ef068
TCP from 10.125.3.35.30207 to 172.30.240.104.1562
seq 4a474001, ack 8733ca02, window ffff, 4. data bytes, flags Syn Ack.
X/Off 06, Flags 12, Cksum 96a7, Urg-> 0000
offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C...
0 2 4 5 64 ...d
** Packet 3 **
19:22:13.787 Xmit IP Ver/HL 45, ToS 0, Len 28, ID 1198, Flg/Frg 0, TTL 1e, Prtl 6
Cksum e111, Src ac1ef068, Dst 0a7d0323
TCP from 172.30.240.104.1562 to 10.125.3.35.30207
seq 8733ca02, ack 4a474002, window 2ccc, 0. data bytes, flags Ack.
X/Off 05, Flags 10, Cksum 8148, Urg-> 0000
No tcp data.
** Packet 4 **
21:22:07.783 Xmit IP Ver/HL 45, ToS 0, Len 28, ID fc6a, Flg/Frg 0, TTL 1e, Prtl 6
Cksum f63e, Src ac1ef068, Dst 0a7d0323
TCP from 172.30.240.104.1562 to 10.125.3.35.30207
seq 8733ca01, ack 4a474002, window 2ccc, 0. data bytes, flags Ack.
X/Off 05, Flags 10, Cksum 8149, Urg-> 0000
No tcp data.
** Packet 5 **
21:22:07.785 Rcvd IP Ver/HL 45, ToS 0, Len 28, ID fc6a, Flg/Frg 0, TTL 1c, Prtl 6
Cksum f83e, Src 0a7d0323, Dst ac1ef068
TCP from 10.125.3.35.30207 to 172.30.240.104.1562
seq 4a474002, ack 8733ca01, window 2ccc, 0. data bytes, flags Rst Ack.
X/Off 05, Flags 14, Cksum 8145, Urg-> 0000
No tcp data.
This page was last modified on 03-06-05
Send comments and suggestions
to ndav1@cox.net