Wireshark mailing list archives

Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes

From: Sake Blok <sake () euronet nl>
Date: Fri, 22 Mar 2013 12:09:07 +0100

A teamed physical interface is when you combine two network cards into one logical network card. Cisco calls it 
Etherchannel, other network vendors call it trunking and linux calls it bonding while in is called teaming in the 
windows world.

Of course the SYN/ACK could not have been on the network before the SYN to which it was a response, therefor for some 
reason the capture process saw the SYN/ACK earlier than the SYN. This can be caused by using two network interfaces for 
the same TCP session. As the timestamping is done in the OS and not on the network card.

Cheers,
Sake

On 22 mrt 2013, at 10:48, wen lui wrote:

what do you mean for this : " a teamed physical interface"
there are many virtual machines in one PlanetLab nodes, are there any implications?

but from the time, the second packet arrives at a minus time, it means it arrives earlier than the first?

I don't know why they are out order? any reasons?

2013/3/21 Martin Visser <martinvisser99 () gmail com>
Very simply, you have have captured the packets 1 and 2 out of order. Packet 2 it would seem is the SYN,  that 
initiated the SYN-ACK in packet 1. (At least it seems that way to me - a sane stack wouldn't reuse the same TCP 
source port at such a small interval). Are you running a teamed physical interface, and hence why you are capturing 
packets out of order?.

Regards, Martin

MartinVisser99 () gmail com


On 21 March 2013 00:18, wen lui <esolvepolito () gmail com> wrote:
I run a simple TCP client on machine A and a simple TCP server on machine B (machine B is a Planetlab node while 
machine A is not). 
Then the client establishes a tcp connection with machine B and send some data.
I capture packets on both A and B, on A the wireshark shows that it is a normal 3-Way handshaking, but on B, it shows 
as below:

1     0.000000        138.46.116.22   138.46.201.109  TCP     74      54000 > 57182 [SYN, ACK] Seq=0 Ack=0 Win=5792 
Len=0 MSS=1460 SACK_PERM=1 TSval=1751648211 TSecr=1119925943 WS=128 0.000000



2     -0.000062       138.46.201.109  138.46.116.22   TCP     74      [TCP Port numbers reused] 57182 > 54000 [SYN] 
Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1119925943 TSecr=0 WS=128        -0.000062
3     0.000308        138.46.201.109  138.46.116.22   TCP     66      57181 > 54000 [ACK] Seq=1 Ack=1 Win=14720 Len=0 
TSval=1119737278 TSecr=1751459556       0.000308




while I see on machine B, actually the tcp connection is established.
before the client sends the SYN and ACK, I checked machine B and found no TCP connection

netstat -tnp
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it 
all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address                State       PID/Program name   
tcp        0      0 138.46.116.22:54000         138.46.201.109:57181        ESTABLISHED 17879/tcp_server 



anyway, I can send data to the tcp server and it receives it correctly.



why wireshark shows TCP Port numbers reused? and the time is '-0.000062'? 


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

wireshark shows: TCP Port numbers reused on PlanetLab nodes wen lui (Mar 20)
- Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes Martin Visser (Mar 21)
  - Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes Sake Blok (Mar 21)
  - Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes wen lui (Mar 22)
    - Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes Sake Blok (Mar 22)
    - Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes Jaap Keuter (Mar 23)
    - Re: wireshark shows: TCP Port numbers reused on PlanetLab nodes Martin Visser (Mar 23)