Wireshark-users: Re: [Wireshark-users] Same SEQ number but different ACKs
From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 14 Apr 2008 20:08:41 +0200
Hi John,

Well, a search for the word alert won't help you, as the alert in SSL is just a numerical value. The words "Encrypted Alert" are the Wireshark description to the numerical value :-)

If you open frame 44 and expand all subtrees within the packet detail pane, you will see the Encrypted Alert. To do this however, you need a recent version of Wireshark as there has been a bug fixed with proxied SSL connections a few months back. You will also need to have the following protocol preferences enabled:

TCP: "Allow subdissector to reassemble TCP streams"
SSL:  "Reassemble SSL records spanning multiple TCP segments"
SSL:  "Reassemble SSL Application Data spanning multiple SSL records"

I attached a text file that shows how frame 44 is dissected in my version of Wireshark with my preferences.

The way I found it was that I was interested whether or not the proxy issued an Close Notify, so I looked at the last SSL records that were sent from the proxy to the client, which were at the end of frame 44 :-)

If you are able to reproduce the issue, you might want to capture traffic on the client as well as on the proxy to see whether the TCP RST was coming from the proxy or the PIX. My bet would be that it is generated by the PIX as it does not like the way the client closes the connection and therefor it tries to shutdown the TCP-session on it's own. I just don't have enough knowledge of the PIX to check whether this is indeed one of its features :-)

Cheers,
     Sake



----- Original Message ----- From: "Sheahan, John" <John.Sheahan@xxxxxxxxxxxxx>
To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Sent: Sunday, April 13, 2008 7:02 PM
Subject: Re: [Wireshark-users] Same SEQ number but different ACKs


for starters, I can even find the Encryption Alert that you are talking
about :-)
I went straight to packet 44 and don't see it anywhere. I did a search
for the word "alert" in the whole trace and didn't find it either. How
did you find that?

Great catch on the ACK flag not being set in frame 50, also if you look
at the ACK itself, it doesn't match any SEQ numbers of my client. I
don't have any IPS device in the mix. My client goes through a Pix
firewall to a dmz where the proxy server is.

I really appreciate you thinking this through with me.

jack

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Sunday, April 13, 2008 12:03 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Same SEQ number but different ACKs

On Sun, Apr 13, 2008 at 04:07:42PM +0200, Sake Blok wrote:
On Sun, Apr 13, 2008 at 09:27:41AM -0400, Sheahan, John wrote:
> this is actually code that runs on several servers that exchanges
> XML data over HTTPS using the proxy. I didn't see the Encrypted
> Alert but I'm going to recheck for that. I have enclosed the trace
> of one conversation.

[...]
frame 50: Proxy sees data *after* the client has acknowledged the TCP
          session teardown (ACK=23504 in frame 47) and sends RST

I just remembered your comment about the high ACK number for the RST
packet and took another look at it. Frame 50 also doesn't have the ACK
flag set. This is also not according to RFC and indeed it does have a
sequence number that does not belong to this tcp session.

Are you sure it's the proxy that sent this packet? Couldn't it have been
an Intrusion Detection and Prevention System (IDP) that generated this
packet?

Cheers,
   Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

No.     Time        delta-Dis   delta-Con   src                   dst                   Source                Destination           srcport dstport len   Protocol Info                                                            Expert
44 1.030000 0.000000 0.000000 00:0c:cf:28:ff:c0 00:1b:78:45:40:0e 172.24.11.135 172.16.20.33 8080 4694 313 SSLv3 Application Data
Frame 44 (313 bytes on wire, 313 bytes captured)
Ethernet II, Src: Cisco_28:ff:c0 (00:0c:cf:28:ff:c0), Dst: HewlettP_45:40:0e (00:1b:78:45:40:0e)
Internet Protocol, Src: 172.24.11.135 (172.24.11.135), Dst: 172.16.20.33 (172.16.20.33)
Transmission Control Protocol, Src Port: http-alt (8080), Dst Port: 4694 (4694), Seq: 23248, Ack: 966, Len: 255
[Reassembled TCP Segments (5667 bytes): #38(1380), #39(1356), #41(1368), #43(1380), #44(183)]
   [Frame: 38, payload: 0-1379 (1380 bytes)]
   [Frame: 39, payload: 1380-2735 (1356 bytes)]
   [Frame: 41, payload: 2736-4103 (1368 bytes)]
   [Frame: 43, payload: 4104-5483 (1380 bytes)]
   [Frame: 44, payload: 5484-5666 (183 bytes)]
Hypertext Transfer Protocol
   [Proxy-Connect-Hostname: distribution-xml.booking.com]
   [Proxy-Connect-Port: 443]
Secure Socket Layer
   SSLv3 Record Layer: Application Data Protocol: http
       Content Type: Application Data (23)
       Version: SSL 3.0 (0x0300)
       Length: 5662
       Encrypted Application Data: D320910AC45A658AD6B755480368328ED871ED7475E75957...
Hypertext Transfer Protocol
   [Proxy-Connect-Hostname: distribution-xml.booking.com]
   [Proxy-Connect-Port: 443]
Secure Socket Layer
   SSLv3 Record Layer: Application Data Protocol: http
       Content Type: Application Data (23)
       Version: SSL 3.0 (0x0300)
       Length: 18
       Encrypted Application Data: 503D509A57048D82C00DEB104D8CBA5021D0
   SSLv3 Record Layer: Application Data Protocol: http
       Content Type: Application Data (23)
       Version: SSL 3.0 (0x0300)
       Length: 21
       Encrypted Application Data: 6B41431D5D1D85454CEBA6CF3664C35AB5EB13EE05
   SSLv3 Record Layer: Encrypted Alert
       Content Type: Alert (21)
       Version: SSL 3.0 (0x0300)
       Length: 18
       Alert Message: Encrypted Alert