Wireshark-users: Re: [Wireshark-users] out of port numbers

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>
Date: Thu, 1 Sep 2011 11:47:41 +0200
Devices that monitor the availability of services usually terminate the session before the 3WHS is complete. This way, the probe connection only disturbs the TCP stack and not the application on the port. On loadbalancers this is often called a "tcp-half-open" healthcheck.

Thanks I am learning!
 
Since your capture also shows "Port number reused", it could be that the monitoring of the service is done from the same source port each time. IIRC F5 loadbalancers have that habit, but I'm not 100% sure.

About 40 connections per second are being established between the client (an HTTP proxy server) and the web server, of which roughly 15% is reset before the 3way handshake finishes. Note that there are more web servers that this proxy server connects to, so I guess 40 connections may be multiplied by some factor from the proxies point of view. The web servers do not implement keep-alive "for technical reasons" explaining the many connections. 

I am trying to find out if this high number of connections causes a bottleneck. Or is it not that high as I believe?

 
You can verify this theory by looking at the client-ip of these connections, do they come from a few sources with each source making a connection at regular intervals (every 2 or 5 seconds for instance)?


The tcpdump I was referring to has only one IP-level conversation in it (the proxy and one web server). This resetting of connections comes at irregular intervals (roughly: average = 4 times, min = 1, max = 9). 
 

Cheers,
Andrej