Wireshark · Wireshark-users: Re: [Wireshark-users] out of port numbers

Wireshark-users: Re: [Wireshark-users] out of port numbers

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>

Date: Thu, 1 Sep 2011 07:01:45 +0200

> I am seeings a lot of port-reuses in the tcpdumps. The tcpdump was
> captured on a Debian master that runs multiple Debian guests (Linux
> VServer). Among others, it runs a proxy and application server that
> setup a new connection for each HTTP request that is being served.

On this Linux VServer, I am seeing 20.401 reused ports (filter
tcp.analysis.reused_ports in Wireshark) in a 429 second tcpdump
sample. Is this value not extremely high?

I had some more time to look at this "issue" and I was hoping somebody could advise me. In the tcpdump I find many reset connections before the 3way handshake is even finished, for example:

clt -> srv: 17:00:04.100996 SYN [Port number resused] seq=0

clt -> srv:�17:00:04.103999�SYN seq=0

srv -> clt:�17:00:04.104033 SYN + ACK seq=0, ack=1

clt -> srv:�17:00:04.109510 RST seq=1

Under what conditions would the client reset the connection within such a short timespan (< 10 millisecond)?�

Cheers,
Andrej

References:
- [Wireshark-users] out of port numbers
  - From: Andrej van der Zee
- Re: [Wireshark-users] out of port numbers
  - From: Andrew Hood
- Re: [Wireshark-users] out of port numbers
  - From: Andrej van der Zee
- Re: [Wireshark-users] out of port numbers
  - From: Andrej van der Zee

Prev by Date: Re: [Wireshark-users] T-Shark capture filter question
Previous by thread: Re: [Wireshark-users] out of port numbers
Next by thread: [Wireshark-users] Displaying RTP for VoIP calls
Index(es):
- Date
- Thread