Wireshark-users: Re: [Wireshark-users] Same SEQ number but different ACKs

From: "Sheahan, John" <John.Sheahan@xxxxxxxxxxxxx>
Date: Sun, 13 Apr 2008 09:27:41 -0400
this is actually code that runs on several servers that exchanges XML
data over HTTPS using the proxy. I didn't see the Encrypted Alert but
I'm going to recheck for that. I have enclosed the trace of one
conversation.
thanks 
jack

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Sunday, April 13, 2008 9:12 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Same SEQ number but different ACKs

On Sun, Apr 13, 2008 at 08:39:04AM -0400, Sheahan, John wrote:
> I thought I was on to something with the SEQ numbers and ACKs but I 
> was wrong so I'm back to the quesion of "why is my proxy server 
> sending a RST at the end of every HTTPS conversation from one
server?".
>  
> I tried running this through Wireshark's Expert and it came up with no

> errors, that would be the first way to rule out that SEQ numbers or 
> ACKs were out being incorrectly sent by the application, correct? If 
> so, I probably should have done this prior to my first post :-)

Not really, expert info is just a mechanism of pointing to interesting
frames in the capture file. It is not a quick check on the trace file
although sometimes using expert info might indeed point to a problem.

> I debugged my firewall and don't see any RSTs coming from my remote 
> destination to my proxy, I only see the RSTs coming from my proxy to 
> my client. I have sniffed other HTTPS conversations from other clients

> using the same Squid proxy but don't ever see any resets so I'm trying

> to figure out what is unique about these conversations. I also checked

> with the Squid forum and this is not any type of bug.

There are quite a few browser-workarounds in ssl session termination. So
it could be the browser version that triggers this behavior of the proxy
sending RST packets. I know older versions of IE needed a RST instead of
clean ssl shutdown (Encrypted alert, FIN/ACK/FIN/ACK).

> Here is the a snippet of the conversation in text format:

It is more useful to send this as a capture file so that it can be
loaded into wireshark for analysis. At least src and dst are really
useful in determining what is really happening:

> Application Data
> 08:55:53.042000
> http-alt > 4694 [FIN, ACK] Seq=23503 Ack=966 Win=64860 Len=0 
> 08:55:53.042000
> 4694 > http-alt [ACK] Seq=966 Ack=23503 Win=63900 Len=0 
> 08:55:53.042000
> 4694 > http-alt [ACK] Seq=966 Ack=23504 Win=65462 Len=0 
> 08:55:53.042000 Encrypted Alert 08:55:53.042000
> 4694 > http-alt [FIN, ACK] Seq=989 Ack=23503 Win=65535 Len=0 
> 08:55:53.042000 http-alt > 4694 [RST] Seq=23504 Win=64860 Len=0
> 08:55:53.042999

Which direction did the "Encrypted Alert" go? Was it client to proxy?
Or proxy to client?

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

Attachment: rst.cap
Description: rst.cap