Wireshark-users: Re: [Wireshark-users] Bad TCP - Why ?
From: Wes <wes_r@xxxxxxxxx>
Date: Thu, 18 Feb 2010 05:33:06 -0800 (PST)
I don't know exactly why this is set this way (mine is set this way too), but it's the Coloring Rule which seems to say, if there are any tcp.analysis.flags, Color it Bad... The flag only seems to indicate it's a keepalive packet. Maybe someone else can explain why this is set this way. Wes --- On Thu, 2/18/10, Steve Smith <smithzsteve@xxxxxxxxxxxxxx> wrote: > From: Steve Smith <smithzsteve@xxxxxxxxxxxxxx> > Subject: [Wireshark-users] Bad TCP - Why ? > To: wireshark-users@xxxxxxxxxxxxx > Date: Thursday, February 18, 2010, 4:06 AM > Hello Folks > > Can anyone tell me why Wireshark decides these TCP > keep-alives are bad ? It's not the checksum. > > Any help would be much appreciated. > > Below is an export of packets 28-31 > > Thanks for any assistance. > > > > No. Time > Source > Destination Protocol Info > 28 52.431700 10.160.104.6 > 10.160.120.202 TCP [TCP Keep-Alive] > 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0 > > > Frame 28 (60 bytes on wire, 60 bytes captured) > Arrival Time: Feb 15, 2010 17:25:45.717539000 > [Time delta from previous captured frame: > 7.198603000 seconds] > [Time delta from previous displayed frame: > 7.198603000 seconds] > > [Time since reference or first frame: 52.431700000 > seconds] > Frame Number: 28 > Frame Length: 60 bytes > Capture Length: 60 bytes > [Frame is marked: False] > [Protocols in frame: eth:ip:tcp] > > [Coloring Rule Name: Bad TCP] > [Coloring Rule String: tcp.analysis.flags] > Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), > Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > > Address: 00:1e:f7:0e:7f:7f > (00:1e:f7:0e:7f:7f) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > > Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Address: 00:04:96:37:92:c8 > (00:04:96:37:92:c8) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > > Type: IP (0x0800) > Trailer: FFFFFFFFFFFF > Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: > 10.160.120.202 (10.160.120.202) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x68 (DSCP 0x1a: > Assured Forwarding 31; ECN: 0x00) > > 0110 10.. = Differentiated Services > Codepoint: Assured Forwarding 31 (0x1a) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0x0565 (1381) > > Flags: 0x00 > 0.. = Reserved bit: Not Set > .0. = Don't fragment: Not Set > ..0 = More fragments: Not Set > Fragment offset: 0 > Time to live: 60 > Protocol: TCP (0x06) > > Header checksum: 0x82f3 [correct] > [Good: True] > [Bad : False] > Source: 10.160.104.6 (10.160.104.6) > Destination: 10.160.120.202 (10.160.120.202) > Transmission Control Protocol, Src Port: 1124 (1124), Dst > Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0 > > Source port: 1124 (1124) > Destination port: 4000 (4000) > [Stream index: 0] > Sequence number: 454 (relative sequence > number) > Acknowledgement number: 93 (relative ack > number) > Header length: 20 bytes > > Flags: 0x10 (ACK) > 0... .... = Congestion Window Reduced (CWR): > Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgement: Set > .... 0... = Push: Not set > > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 3072 > Checksum: 0x94af [correct] > [Good Checksum: True] > [Bad Checksum: False] > > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: > 27] > [The RTT to ACK the segment was: 7.198603000 > seconds] > [TCP Analysis Flags] > [This is a TCP keep-alive segment] > > [Expert Info > (Note/Sequence): Keep-Alive] > [Message: > Keep-Alive] > [Severity level: > Note] > [Group: Sequence] > > > > No. Time > Source > Destination Protocol Info > > 29 52.468294 10.160.120.202 > 10.160.104.6 TCP [TCP Keep-Alive > ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0 > > Frame 29 (60 bytes on wire, 60 bytes captured) > Arrival Time: Feb 15, 2010 17:25:45.754133000 > > [Time delta from previous captured frame: > 0.036594000 seconds] > [Time delta from previous displayed frame: > 0.036594000 seconds] > [Time since reference or first frame: 52.468294000 > seconds] > Frame Number: 29 > > Frame Length: 60 bytes > Capture Length: 60 bytes > [Frame is marked: False] > [Protocols in frame: eth:ip:tcp] > [Coloring Rule Name: Bad TCP] > [Coloring Rule String: tcp.analysis.flags] > > Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), > Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Address: 00:04:96:37:92:c8 > (00:04:96:37:92:c8) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > Address: 00:1e:f7:0e:7f:7f > (00:1e:f7:0e:7f:7f) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > Type: IP (0x0800) > Trailer: 000000000000 > Internet Protocol, Src: 10.160.120.202 (10.160.120.202), > Dst: 10.160.104.6 (10.160.104.6) > > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x68 (DSCP 0x1a: > Assured Forwarding 31; ECN: 0x00) > 0110 10.. = Differentiated Services > Codepoint: Assured Forwarding 31 (0x1a) > > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0xec02 (60418) > Flags: 0x02 (Don't Fragment) > 0.. = Reserved bit: Not Set > > .1. = Don't fragment: Set > ..0 = More fragments: Not Set > Fragment offset: 0 > Time to live: 61 > Protocol: TCP (0x06) > Header checksum: 0x5b55 [correct] > [Good: True] > > [Bad : False] > Source: 10.160.120.202 (10.160.120.202) > Destination: 10.160.104.6 (10.160.104.6) > Transmission Control Protocol, Src Port: 4000 (4000), Dst > Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0 > > Source port: 4000 (4000) > Destination port: 1124 (1124) > [Stream index: 0] > Sequence number: 93 (relative sequence > number) > Acknowledgement number: 455 (relative ack > number) > Header length: 20 bytes > > Flags: 0x10 (ACK) > 0... .... = Congestion Window Reduced (CWR): > Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgement: Set > .... 0... = Push: Not set > > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 8192 > Checksum: 0x80ae [correct] > [Good Checksum: True] > [Bad Checksum: False] > > [SEQ/ACK analysis] > [TCP Analysis Flags] > [This is an ACK to a TCP keep-alive > segment] > [Expert Info > (Note/Sequence): Keep-Alive ACK] > [Message: Keep-Alive > ACK] > > [Severity level: > Note] > [Group: Sequence] > > > > No. Time > Source > Destination Protocol Info > 30 59.931091 10.160.104.6 > 10.160.120.202 TCP [TCP Keep-Alive] > 1124 > 4000 [ACK] Seq=454 Ack=93 Win=3072 Len=0 > > > Frame 30 (60 bytes on wire, 60 bytes captured) > Arrival Time: Feb 15, 2010 17:25:53.216930000 > [Time delta from previous captured frame: > 7.462797000 seconds] > [Time delta from previous displayed frame: > 7.462797000 seconds] > > [Time since reference or first frame: 59.931091000 > seconds] > Frame Number: 30 > Frame Length: 60 bytes > Capture Length: 60 bytes > [Frame is marked: False] > [Protocols in frame: eth:ip:tcp] > > [Coloring Rule Name: Bad TCP] > [Coloring Rule String: tcp.analysis.flags] > Ethernet II, Src: 00:04:96:37:92:c8 (00:04:96:37:92:c8), > Dst: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > Destination: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > > Address: 00:1e:f7:0e:7f:7f > (00:1e:f7:0e:7f:7f) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > > Source: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Address: 00:04:96:37:92:c8 > (00:04:96:37:92:c8) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > > Type: IP (0x0800) > Trailer: FFFFFFFFFFFF > Internet Protocol, Src: 10.160.104.6 (10.160.104.6), Dst: > 10.160.120.202 (10.160.120.202) > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x68 (DSCP 0x1a: > Assured Forwarding 31; ECN: 0x00) > > 0110 10.. = Differentiated Services > Codepoint: Assured Forwarding 31 (0x1a) > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0xf3b3 (62387) > > Flags: 0x00 > 0.. = Reserved bit: Not Set > .0. = Don't fragment: Not Set > ..0 = More fragments: Not Set > Fragment offset: 0 > Time to live: 60 > Protocol: TCP (0x06) > > Header checksum: 0x94a4 [correct] > [Good: True] > [Bad : False] > Source: 10.160.104.6 (10.160.104.6) > Destination: 10.160.120.202 (10.160.120.202) > Transmission Control Protocol, Src Port: 1124 (1124), Dst > Port: 4000 (4000), Seq: 454, Ack: 93, Len: 0 > > Source port: 1124 (1124) > Destination port: 4000 (4000) > [Stream index: 0] > Sequence number: 454 (relative sequence > number) > Acknowledgement number: 93 (relative ack > number) > Header length: 20 bytes > > Flags: 0x10 (ACK) > 0... .... = Congestion Window Reduced (CWR): > Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgement: Set > .... 0... = Push: Not set > > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 3072 > Checksum: 0x94af [correct] > [Good Checksum: True] > [Bad Checksum: False] > > [SEQ/ACK analysis] > [This is an ACK to the segment in frame: > 29] > [The RTT to ACK the segment was: 7.462797000 > seconds] > [TCP Analysis Flags] > [This is a TCP keep-alive segment] > > [Expert Info > (Note/Sequence): Keep-Alive] > [Message: > Keep-Alive] > [Severity level: > Note] > [Group: Sequence] > > > > No. Time > Source > Destination Protocol Info > > 31 59.939739 10.160.120.202 > 10.160.104.6 TCP [TCP Keep-Alive > ACK] 4000 > 1124 [ACK] Seq=93 Ack=455 Win=8192 Len=0 > > Frame 31 (60 bytes on wire, 60 bytes captured) > Arrival Time: Feb 15, 2010 17:25:53.225578000 > > [Time delta from previous captured frame: > 0.008648000 seconds] > [Time delta from previous displayed frame: > 0.008648000 seconds] > [Time since reference or first frame: 59.939739000 > seconds] > Frame Number: 31 > > Frame Length: 60 bytes > Capture Length: 60 bytes > [Frame is marked: False] > [Protocols in frame: eth:ip:tcp] > [Coloring Rule Name: Bad TCP] > [Coloring Rule String: tcp.analysis.flags] > > Ethernet II, Src: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f), > Dst: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Destination: 00:04:96:37:92:c8 (00:04:96:37:92:c8) > Address: 00:04:96:37:92:c8 > (00:04:96:37:92:c8) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > Source: 00:1e:f7:0e:7f:7f (00:1e:f7:0e:7f:7f) > Address: 00:1e:f7:0e:7f:7f > (00:1e:f7:0e:7f:7f) > .... ...0 .... .... .... .... = IG bit: > Individual address (unicast) > > .... ..0. .... .... .... .... = LG bit: > Globally unique address (factory default) > Type: IP (0x0800) > Trailer: 000000000000 > Internet Protocol, Src: 10.160.120.202 (10.160.120.202), > Dst: 10.160.104.6 (10.160.104.6) > > Version: 4 > Header length: 20 bytes > Differentiated Services Field: 0x68 (DSCP 0x1a: > Assured Forwarding 31; ECN: 0x00) > 0110 10.. = Differentiated Services > Codepoint: Assured Forwarding 31 (0x1a) > > .... ..0. = ECN-Capable Transport (ECT): 0 > .... ...0 = ECN-CE: 0 > Total Length: 40 > Identification: 0xec04 (60420) > Flags: 0x02 (Don't Fragment) > 0.. = Reserved bit: Not Set > > .1. = Don't fragment: Set > ..0 = More fragments: Not Set > Fragment offset: 0 > Time to live: 61 > Protocol: TCP (0x06) > Header checksum: 0x5b53 [correct] > [Good: True] > > [Bad : False] > Source: 10.160.120.202 (10.160.120.202) > Destination: 10.160.104.6 (10.160.104.6) > Transmission Control Protocol, Src Port: 4000 (4000), Dst > Port: 1124 (1124), Seq: 93, Ack: 455, Len: 0 > > Source port: 4000 (4000) > Destination port: 1124 (1124) > [Stream index: 0] > Sequence number: 93 (relative sequence > number) > Acknowledgement number: 455 (relative ack > number) > Header length: 20 bytes > > Flags: 0x10 (ACK) > 0... .... = Congestion Window Reduced (CWR): > Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...1 .... = Acknowledgement: Set > .... 0... = Push: Not set > > .... .0.. = Reset: Not set > .... ..0. = Syn: Not set > .... ...0 = Fin: Not set > Window size: 8192 > Checksum: 0x80ae [correct] > [Good Checksum: True] > [Bad Checksum: False] > > [SEQ/ACK analysis] > [TCP Analysis Flags] > [This is an ACK to a TCP keep-alive > segment] > [Expert Info > (Note/Sequence): Keep-Alive ACK] > [Message: Keep-Alive > ACK] > > [Severity level: > Note] > [Group: Sequence] > > > > > > > -----Inline Attachment Follows----- > > ___________________________________________________________________________ > Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx> > Archives: http://www.wireshark.org/lists/wireshark-users > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users > > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
- References:
- [Wireshark-users] Bad TCP - Why ?
- From: Steve Smith
- [Wireshark-users] Bad TCP - Why ?
- Prev by Date: Re: [Wireshark-users] Bad TCP - Why ?
- Next by Date: Re: [Wireshark-users] 802.11 monitoring help
- Previous by thread: Re: [Wireshark-users] Bad TCP - Why ?
- Next by thread: [Wireshark-users] Turn Truncation off
- Index(es):