Wireshark-users: [Wireshark-users] [RST,ACK] from IE6 on High Latency Connection

From: "Norbert Hoeller" <nhoeller@xxxxxxxx>
Date: Sun, 20 Aug 2006 11:29:39 -0400

I had originally posted this to the ethereal-users forum.  I have been going through Chris Saunders' 'Packet School' and noticed that 'Expert Info' flagged packet 7 as 'Malformed HTTP'.  This is associated with source port 2911, whereas the first RST by IE6 is on the source port 2912 session.  I see no errors on the source port 2912 session traffic.

Although the problem was consistent on the day that I captured the trace, the problem has since disappeared.  Since then, I have reset the satellite modem and wireless router a number of times.  I have switched to Firefox, so have not noticed if other sites have been failing on IE.        

Any help would be greatly appreciated!
         Thanks, Norbert

>>>>

I recently switched to a satellite Internet service, where latency is around 700ms.  Some (but not all) websites consistently will not display using IE6 (WinXP SP2), with the error "Cannot find server or DNS Error".  A few times, the page will actually start to display, but then be replaced by the error screen.  However, Firefox will display these pages without a problem.  


Tracing the IE6 traffic using Ethereal showed that the error message was erroneous - data transfer was initiated, but apparently reset by IE6.  Below is a trace.  Focusing on the source port 2912 session (marked with >>>), the server appears to be returning valid data in entry 23, but IE6 responds with a RST,ACK in line 32.  IE6 then resets the source port 2911 session in line 35.

A comparable Firefox trace looks similar, with the except that:
* Firefox is sending a much longer cookie on the initial GET, requiring a continuation packet from Firefox to the server
* Firefox returns an ACK to HTTP/1.1 200 OK (JPEG JFIF image) and the server returns the rest of the JPEG

The delay between entry 23 and 32 does not appear to be excessive, and is comparable to the delay in the Firefox trace.  I am thoroughly puzzled what might be going on here.  I suspect it is a combination of the server and the high latency Internet connection - I have no problems displaying the website using IE6 on dial.  

Any help would be greatly appreciated!
         Thanks, Norbert

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.1.2.123            72.51.25.131          TCP      2911 > http [SYN] Seq=0 Len=0 MSS=1460
      2 0.006553    72.51.25.131          10.1.2.123            TCP      http > 2911 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1448
      3 0.006674    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=1 Ack=1 Win=17376 Len=0
      4 0.008925    10.1.2.123            72.51.25.131          HTTP     GET / HTTP/1.1
      5 0.067278    72.51.25.131          10.1.2.123            TCP      http > 2911 [ACK] Seq=1 Ack=282 Win=3815 Len=0
      6 2.478983    72.51.25.131          10.1.2.123            HTTP     HTTP/1.1 200 OK
      7 2.489217    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic[Unreassembled Packet]
      8 2.489641    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=1493 Win=15884 Len=0
      9 2.489767    10.1.2.123            72.51.25.131          TCP      [TCP Window Update] 2911 > http [ACK] Seq=282 Ack=1493 Win=17376 Len=0
     10 2.500368    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     11 2.500917    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=2941 Win=17376 Len=0
>>>  12 2.506495    10.1.2.123            72.51.25.131          TCP      2912 > http [SYN] Seq=0 Len=0 MSS=1460
     13 2.514335    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
>>>  14 2.514854    72.51.25.131          10.1.2.123            TCP      http > 2912 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1448
>>>  15 2.514951    10.1.2.123            72.51.25.131          TCP      2912 > http [ACK] Seq=1 Ack=1 Win=17376 Len=0
     16 2.515059    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=4389 Win=17376 Len=0
>>>  17 2.518282    10.1.2.123            72.51.25.131          HTTP     GET /images/contestbanner_06.jpg HTTP/1.1                     (from port 2912)
     18 2.525727    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     19 2.526178    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=5837 Win=17376 Len=0
     20 2.536842    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     21 2.537338    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=7285 Win=17376 Len=0
>>>  22 2.576766    72.51.25.131          10.1.2.123            TCP      http > 2912 [ACK] Seq=1 Ack=350 Win=3747 Len=0
>>>  23 2.684184    72.51.25.131          10.1.2.123            HTTP     HTTP/1.1 200 OK (JPEG JFIF image)
     24 2.704605    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     25 2.705004    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=8733 Win=17376 Len=0
     26 2.740781    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     27 2.741193    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=10181 Win=17376 Len=0
     28 2.753169    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     29 2.753542    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=11629 Win=17376 Len=0
     30 2.773416    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     31 2.773821    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=13077 Win=17376 Len=0
>>>  32 2.777726    10.1.2.123            72.51.25.131          TCP      2912 > http [RST, ACK] Seq=350 Ack=1217 Win=0 Len=0
     33 2.780250    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic
     34 2.780623    10.1.2.123            72.51.25.131          TCP      2911 > http [ACK] Seq=282 Ack=14525 Win=17376 Len=0
     35 2.782539    10.1.2.123            72.51.25.131          TCP      2911 > http [RST, ACK] Seq=282 Ack=14525 Win=0 Len=0
     36 2.788611    72.51.25.131          10.1.2.123            HTTP     Continuation or non-HTTP traffic