Wireshark-users: [Wireshark-users] Bad TCP - Why ?
From: Steve Smith <smithzsteve@xxxxxxxxxxxxxx>
Date: Thu, 18 Feb 2010 09:06:04 +0000
Hello Folks
Can anyone tell me why Wireshark decides these TCP keep-alives are bad ? It's not the checksum.
Any help would be much appreciated.
Below is an export of packets 28-31
Thanks for any assistance.
No. Time Source Destination Protocol Info
28 52.431700 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 28 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.717539000
[Time delta from previous captured frame: 7.198603000 seconds]
[Time delta from previous displayed frame: 7.198603000 seconds]
[Time since reference or first frame: 52.431700000 seconds]
Frame Number: 28
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0565 (1381)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x82f3 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 7.198603000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
29 52.468294 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 29 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.754133000
[Time delta from previous captured frame: 0.036594000 seconds]
[Time delta from previous displayed frame: 0.036594000 seconds]
[Time since reference or first frame: 52.468294000 seconds]
Frame Number: 29
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec02 (60418)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b55 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
30 59.931091 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 30 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.216930000
[Time delta from previous captured frame: 7.462797000 seconds]
[Time delta from previous displayed frame: 7.462797000 seconds]
[Time since reference or first frame: 59.931091000 seconds]
Frame Number: 30
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xf3b3 (62387)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x94a4 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 29]
[The RTT to ACK the segment was: 7.462797000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
31 59.939739 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 31 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.225578000
[Time delta from previous captured frame: 0.008648000 seconds]
[Time delta from previous displayed frame: 0.008648000 seconds]
[Time since reference or first frame: 59.939739000 seconds]
Frame Number: 31
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec04 (60420)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b53 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
Can anyone tell me why Wireshark decides these TCP keep-alives are bad ? It's not the checksum.
Any help would be much appreciated.
Below is an export of packets 28-31
Thanks for any assistance.
No. Time Source Destination Protocol Info
28 52.431700 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 28 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.717539000
[Time delta from previous captured frame: 7.198603000 seconds]
[Time delta from previous displayed frame: 7.198603000 seconds]
[Time since reference or first frame: 52.431700000 seconds]
Frame Number: 28
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0x0565 (1381)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x82f3 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 27]
[The RTT to ACK the segment was: 7.198603000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
29 52.468294 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 29 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:45.754133000
[Time delta from previous captured frame: 0.036594000 seconds]
[Time delta from previous displayed frame: 0.036594000 seconds]
[Time since reference or first frame: 52.468294000 seconds]
Frame Number: 29
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec02 (60418)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b55 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
30 59.931091 10.160.104.6 10.160.120.202 TCP [TCP Keep-Alive] 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0
Frame 30 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.216930000
[Time delta from previous captured frame: 7.462797000 seconds]
[Time delta from previous displayed frame: 7.462797000 seconds]
[Time since reference or first frame: 59.931091000 seconds]
Frame Number: 30
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: FFFFFFFFFFFF
Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: 10.160.120.202 (10.160.120.202)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xf3b3 (62387)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 60
Protocol: TCP (0x06)
Header checksum: 0x94a4 [correct]
[Good: True]
[Bad : False]
Source: 10.160.104.6 (10.160.104.6)
Destination: 10.160.120.202 (10.160.120.202)
Transmission Control Protocol, Src Port: 1124 (1124), Dst Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0
Source port: 1124 (1124)
Destination port: 4000 (4000)
[Stream index: 0]
Sequence number: 454 (relative sequence number)
Acknowledgement number: 93 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 3072
Checksum: 0x94af [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 29]
[The RTT to ACK the segment was: 7.462797000 seconds]
[TCP Analysis Flags]
[This is a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive]
[Message: Keep-Alive]
[Severity level: Note]
[Group: Sequence]
No. Time Source Destination Protocol Info
31 59.939739 10.160.120.202 10.160.104.6 TCP [TCP Keep-Alive ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0
Frame 31 (60 bytes on wire, 60 bytes captured)
Arrival Time: Feb 15, 2010 17:25:53.225578000
[Time delta from previous captured frame: 0.008648000 seconds]
[Time delta from previous displayed frame: 0.008648000 seconds]
[Time since reference or first frame: 59.939739000 seconds]
Frame Number: 31
Frame Length: 60 bytes
Capture Length: 60 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:tcp]
[Coloring Rule Name: Bad TCP]
[Coloring Rule String: tcp.analysis.flags]
Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
Address: 00:04:96:37:92:c8 (00:04:96:37:92:c8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
Address: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Trailer: 000000000000
Internet Protocol, Src: 10.160.120.202 (10.160.120.202), Dst: 10.160.104.6 (10.160.104.6)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x68 (DSCP 0x1a: Assured Forwarding 31; ECN: 0x00)
0110 10.. = Differentiated Services Codepoint: Assured Forwarding 31 (0x1a)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 40
Identification: 0xec04 (60420)
Flags: 0x02 (Don't Fragment)
0.. = Reserved bit: Not Set
.1. = Don't fragment: Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 61
Protocol: TCP (0x06)
Header checksum: 0x5b53 [correct]
[Good: True]
[Bad : False]
Source: 10.160.120.202 (10.160.120.202)
Destination: 10.160.104.6 (10.160.104.6)
Transmission Control Protocol, Src Port: 4000 (4000), Dst Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0
Source port: 4000 (4000)
Destination port: 1124 (1124)
[Stream index: 0]
Sequence number: 93 (relative sequence number)
Acknowledgement number: 455 (relative ack number)
Header length: 20 bytes
Flags: 0x10 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgement: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 8192
Checksum: 0x80ae [correct]
[Good Checksum: True]
[Bad Checksum: False]
[SEQ/ACK analysis]
[TCP Analysis Flags]
[This is an ACK to a TCP keep-alive segment]
[Expert Info (Note/Sequence): Keep-Alive ACK]
[Message: Keep-Alive ACK]
[Severity level: Note]
[Group: Sequence]
- Follow-Ups:
- Re: [Wireshark-users] Bad TCP - Why ?
- From: Forthofer Russ
- Re: [Wireshark-users] Bad TCP - Why ?
- From: Wes
- Re: [Wireshark-users] Bad TCP - Why ?
- Prev by Date: Re: [Wireshark-users] I think this is outrageous, but am i wrong?
- Next by Date: [Wireshark-users] Turn Truncation off
- Previous by thread: Re: [Wireshark-users] I think this is outrageous, but am i wrong?
- Next by thread: Re: [Wireshark-users] Bad TCP - Why ?
- Index(es):