Wireshark · Wireshark-users: Re: [Wireshark-users] Same SEQ number but different ACKs

Wireshark-users: Re: [Wireshark-users] Same SEQ number but different ACKs

From: Sake Blok <sake@xxxxxxxxxx>

Date: Sun, 13 Apr 2008 18:02:36 +0200

On Sun, Apr 13, 2008 at 04:07:42PM +0200, Sake Blok wrote:
> On Sun, Apr 13, 2008 at 09:27:41AM -0400, Sheahan, John wrote:
> > this is actually code that runs on several servers that exchanges XML
> > data over HTTPS using the proxy. I didn't see the Encrypted Alert but
> > I'm going to recheck for that. I have enclosed the trace of one
> > conversation.
> 
[...]
> frame 50: Proxy sees data *after* the client has acknowledged the TCP
>           session teardown (ACK=23504 in frame 47) and sends RST

I just remembered your comment about the high ACK number for the RST
packet and took another look at it. Frame 50 also doesn't have the
ACK flag set. This is also not according to RFC and indeed it does 
have a sequence number that does not belong to this tcp session.

Are you sure it's the proxy that sent this packet? Couldn't it have
been an Intrusion Detection and Prevention System (IDP) that generated
this packet?

Cheers,
    Sake

Follow-Ups:
- Re: [Wireshark-users] Same SEQ number but different ACKs
  - From: Sheahan, John

References:
- Re: [Wireshark-users] Same SEQ number but different ACKs
  - From: Sake Blok
- Re: [Wireshark-users] Same SEQ number but different ACKs
  - From: Sheahan, John
- Re: [Wireshark-users] Same SEQ number but different ACKs
  - From: Sake Blok

Prev by Date: Re: [Wireshark-users] Is it a bug with Wireshark?
Next by Date: [Wireshark-users] Redback protocol decoding error?
Previous by thread: Re: [Wireshark-users] Same SEQ number but different ACKs
Next by thread: Re: [Wireshark-users] Same SEQ number but different ACKs
Index(es):
- Date
- Thread