07627bce
From: rick.jones2@hp.com
lmike wrote:
> I see somthing from a tcpdump output on Linux that I don't quite
> understand (see below).
> -why all a sudden, A sends to B with big seq numbers (i.e.
> 3286598003:3286598051), and why with ack 1191864251?
> A(server)-B(client) link has been idle for a few minutes before this
> happened. None of these big seq numbers appear in any prior log
> messages.
> 1191864251 never shows up as a seq number in B's messages to A.
> -why B then starts to send to A pkgs starting from seq number 1?
> Looks like a resend? Why this happens? Thanks
> A > B: P 3286598003:3286598051(48) ack 1191864251 win 65535
>
> B > A: P 1:16(15) ack 48 win 65535 2253170396>
> A > B: . ack 16 win 65535
> B > A: P 48:65(17) ack 16 win 65535 1200125699>
> A > B: P 16:199(183) ack 65 win 65535 2253170397>
> B > A: P 65:211(146) ack 199 win 65535 1200125700>
Chances are greater that you are seeing a tcpdump artifact rather than
a TCP behaviour.
Tcpdump, unless told not to, tries to be helpful/clever about TCP
sequence numbers. It does this by keeping some state for each TCP
connection. When tcpdump sees its first segment for a given
connection, it will give sequence numbers and ACKnowledgement numbers
in their "raw" or "as in the header" form. For subsequent segments,
tcpdump will give numbers relative to the first it saw.
Now, if indeed tcpdump had already seen that four-tuple of A to B,
(local/remote IP, local/remote port) perhaps something caused it to
have to toss its memory of the four-tuple and then it was starting
over.
One thing you could to to verify that it is indeed tcpdump's attempts
to give relative sequence numbers is to disable that functionality via
the tcpdump command line.
rick jones
--
portable adj, code that compiles under more than one compiler
these opinions are mine, all mine; HP might not want them anyway... :)
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
