Interesting Traces - Sequence number rewrite
You will note that all significant header values, IP Type of service, length, identification, source address, destination address, TCP source port, destination port, window size, flags and even the data are identical. But the sequence and acknowledgment numbers are completely different.
I have no idea what is doing this or why. It was hypothesized that it is a firewall rewriting sequence numbers to make sure that they are random enough. But at this point it is just a guess. Of course it could also be some device that is not functioning properly or just poorly implemented.
My apologies to any color sensitive reader.
13:40:34.153 Xmit Ether Dst 00:15:c7:bb:bb:bb Src 00:00:a8:aa:aa:aa Type 0800 | 13:41:10.146 Rcvd Ether Dst 00:00:a8:42:5a:cb Src 00:1e:4a:c7:f0:00 Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2c, ID 78d7 Flg/Frg 0, TTL 3c, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2c, ID 78d7 Flg/Frg 0, TTL 39, Prtl 6 Cksum ec9e, Src 0a32xxxx, Dst 0a96yyyy | Cksum ef9e, Src 0a32xxxx, Dst 0a96yyyy TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 | TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 seq 1711376966, ack n.a., windows 8192, 4 data bytes, flags Syn. | seq 3561789146, ack n.a., windows 8192, 4 data bytes, flags Syn. X/Off 06, Flags 02, Cksum 8a4e, Urg-> 0000 | X/Off 06, Flags 02, Cksum 0f6f, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 2 4 2 18 <<<< | 0 2 4 2 18 <<<< | 13:40:34.166 Rcvd Ether Dst 00:00:a8:aa:aa:aa Src 00:15:c7:bb:bb:bb Type 0800 | 13:41:10.307 Xmit Ether Dst 00:1e:4a:c7:f0:00 Src 00:00:a8:42:5a:cb Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2c, ID 31ae Flg/Frg 0, TTL 39, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2c, ID 31ae Flg/Frg 0, TTL 3c, Prtl 6 Cksum 36c8, Src 0a96yyyy, Dst 0a32xxxx | Cksum 33c8, Src 0a96yyyy, Dst 0a32xxxx TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 | TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 seq 923734861, ack 1711376967, windows 8192, 4 data bytes, flags Syn Ack. | seq 349007888, ack 3561789147, windows 8192, 4 data bytes, flags Syn Ack. X/Off 06, Flags 12, Cksum 3fe1, Urg-> 0000 | X/Off 06, Flags 12, Cksum 8a80, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 2 4 2 18 <<<< | 0 2 4 2 18 <<<< | 13:40:34.166 Xmit Ether Dst 00:15:c7:bb:bb:bb Src 00:00:a8:aa:aa:aa Type 0800 | 13:41:10.463 Rcvd Ether Dst 00:00:a8:42:5a:cb Src 00:1e:4a:c7:f0:00 Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 28, ID 78de Flg/Frg 0, TTL 3c, Prtl 6 | IP Ver/HL 45, ToS 0, Len 28, ID 78de Flg/Frg 0, TTL 39, Prtl 6 Cksum ec9b, Src 0a32xxxx, Dst 0a96yyyy | Cksum ef9b, Src 0a32xxxx, Dst 0a96yyyy TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 | TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 seq 1711376967, ack 923734862, windows 8192, 0 data bytes, flags Ack. | seq 3561789147, ack 349007889, windows 8192, 0 data bytes, flags Ack. X/Off 05, Flags 10, Cksum 5402, Urg-> 0000 | X/Off 05, Flags 10, Cksum 9ea1, Urg-> 0000 No tcp data. | No tcp data. | . . . . 13:40:36.831 Xmit Ether Dst 00:15:c7:bb:bb:bb Src 00:00:a8:aa:aa:aa Type 0800 | 13:41:14.118 Rcvd Ether Dst 00:00:a8:42:5a:cb Src 00:1e:4a:c7:f0:00 Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2a, ID 7bca Flg/Frg 0, TTL 3c, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2a, ID 7bca Flg/Frg 0, TTL 39, Prtl 6 Cksum e9ad, Src 0a32xxxx, Dst 0a96yyyy | Cksum ecad, Src 0a32xxxx, Dst 0a96yyyy TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 | TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 seq 1711376971, ack 923734866, windows 8192, 2 data bytes, flags Push Ack | seq 3561789151, ack 349007893, windows 8192, 2 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 33bf, Urg-> 0000 | X/Off 05, Flags 18, Cksum 7e5e, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 20 31 1 | 0 20 31 1 | 13:40:36.842 Rcvd Ether Dst 00:00:a8:aa:aa:aa Src 00:15:c7:bb:bb:bb Type 0800 | 13:41:14.273 Xmit Ether Dst 00:1e:4a:c7:f0:00 Src 00:00:a8:42:5a:cb Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2a, ID 329c Flg/Frg 0, TTL 39, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2a, ID 329c Flg/Frg 0, TTL 3c, Prtl 6 Cksum 35dc, Src 0a96yyyy, Dst 0a32xxxx | Cksum 32dc, Src 0a96yyyy, Dst 0a32xxxx TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 | TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 seq 923734866, ack 1711376973, windows 8192, 2 data bytes, flags Push Ack | seq 349007893, ack 3561789153, windows 8192, 2 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 33bd, Urg-> 0000 | X/Off 05, Flags 18, Cksum 7e5c, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 20 31 1 | 0 20 31 1 | . . . . | 13:40:39.540 Xmit Ether Dst 00:15:c7:bb:bb:bb Src 00:00:a8:aa:aa:aa Type 0800 | 13:41:17.319 Rcvd Ether Dst 00:00:a8:42:5a:cb Src 00:1e:4a:c7:f0:00 Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 29, ID 7f39 Flg/Frg 0, TTL 3c, Prtl 6 | IP Ver/HL 45, ToS 0, Len 29, ID 7f39 Flg/Frg 0, TTL 39, Prtl 6 Cksum e63f, Src 0a32xxxx, Dst 0a96yyyy | Cksum e93f, Src 0a32xxxx, Dst 0a96yyyy TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 | TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 seq 1711376980, ack 923734875, windows 8192, 1 data bytes, flags Push Ack | seq 3561789160, ack 349007902, windows 8192, 1 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 21df, Urg-> 0000 | X/Off 05, Flags 18, Cksum 6c7e, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 32 2 | 0 32 2 | 13:40:39.553 Rcvd Ether Dst 00:00:a8:aa:aa:aa Src 00:15:c7:bb:bb:bb Type 0800 | 13:41:17.475 Xmit Ether Dst 00:1e:4a:c7:f0:00 Src 00:00:a8:42:5a:cb Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 29, ID 33f3 Flg/Frg 0, TTL 39, Prtl 6 | IP Ver/HL 45, ToS 0, Len 29, ID 33f3 Flg/Frg 0, TTL 3c, Prtl 6 Cksum 3486, Src 0a96yyyy, Dst 0a32xxxx | Cksum 3186, Src 0a96yyyy, Dst 0a32xxxx TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 | TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 seq 923734875, ack 1711376981, windows 8192, 1 data bytes, flags Push Ack | seq 349007902, ack 3561789161, windows 8192, 1 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 21de, Urg-> 0000 | X/Off 05, Flags 18, Cksum 6c7d, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 32 2 | 0 32 2 | . . . . 13:40:42.480 Xmit Ether Dst 00:15:c7:bb:bb:bb Src 00:00:a8:aa:aa:aa Type 0800 | 13:41:20.655 Rcvd Ether Dst 00:00:a8:42:5a:cb Src 00:1e:4a:c7:f0:00 Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2b, ID 82bd Flg/Frg 0, TTL 3c, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2b, ID 82bd Flg/Frg 0, TTL 39, Prtl 6 Cksum e2b9, Src 0a32xxxx, Dst 0a96yyyy | Cksum e5b9, Src 0a32xxxx, Dst 0a96yyyy TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 | TCP from 10.50.XXX.XXX.59342 to 10.150.YY.YY.7 seq 1711376988, ack 923734883, windows 8192, 3 data bytes, flags Push Ack | seq 3561789168, ack 349007910, windows 8192, 3 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 20c0, Urg-> 0000 | X/Off 05, Flags 18, Cksum 6b5f, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 33 d 0 3< | 0 33 d 0 3< | 13:40:42.493 Rcvd Ether Dst 00:00:a8:aa:aa:aa Src 00:15:c7:bb:bb:bb Type 0800 | 13:41:20.811 Xmit Ether Dst 00:1e:4a:c7:f0:00 Src 00:00:a8:42:5a:cb Type 0800 + (IP) | + (IP) IP Ver/HL 45, ToS 0, Len 2b, ID 3560 Flg/Frg 0, TTL 39, Prtl 6 | IP Ver/HL 45, ToS 0, Len 2b, ID 3560 Flg/Frg 0, TTL 3c, Prtl 6 Cksum 3317, Src 0a96yyyy, Dst 0a32xxxx | Cksum 3017, Src 0a96yyyy, Dst 0a32xxxx TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 | TCP from 10.150.YY.YY.7 to 10.50.XXX.XXX.59342 seq 923734883, ack 1711376991, windows 8192, 3 data bytes, flags Push Ack | seq 349007910, ack 3561789171, windows 8192, 3 data bytes, flags Push Ack +. | +. X/Off 05, Flags 18, Cksum 20bd, Urg-> 0000 | X/Off 05, Flags 18, Cksum 6b5c, Urg-> 0000 offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... | offset 0 . . . 4 . . . 8 . . . C . . . 0...4... 8...C... 0 33 d 0 3< | 0 33 d 0 3< |
Send comments and suggestions