Wireshark-users: Re: [Wireshark-users] out of port numbers

From: M K <gedropi@xxxxxxxxx>
Date: Fri, 2 Sep 2011 08:35:37 -0700
But allowing port numbers to be reused on a single workstation is a potential security risk.  Right?

On Thu, Sep 1, 2011 at 12:36 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
On 1 sep 2011, at 07:01, Andrej van der Zee wrote:

> > I am seeings a lot of port-reuses in the tcpdumps. The tcpdump was
> > captured on a Debian master that runs multiple Debian guests (Linux
> > VServer). Among others, it runs a proxy and application server that
> > setup a new connection for each HTTP request that is being served.
>
> On this Linux VServer, I am seeing 20.401 reused ports (filter
> tcp.analysis.reused_ports in Wireshark) in a 429 second tcpdump
> sample. Is this value not extremely high?
>
> I had some more time to look at this "issue" and I was hoping somebody could advise me. In the tcpdump I find many reset connections before the 3way handshake is even finished, for example:
>
> clt -> srv: 17:00:04.100996 SYN [Port number resused] seq=0
> clt -> srv: 17:00:04.103999 SYN seq=0
> srv -> clt: 17:00:04.104033 SYN + ACK seq=0, ack=1
> clt -> srv: 17:00:04.109510 RST seq=1
>
> Under what conditions would the client reset the connection within such a short timespan (< 10 millisecond)?

Devices that monitor the availability of services usually terminate the session before the 3WHS is complete. This way, the probe connection only disturbs the TCP stack and not the application on the port. On loadbalancers this is often called a "tcp-half-open" healthcheck. Since your capture also shows "Port number reused", it could be that the monitoring of the service is done from the same source port each time. IIRC F5 loadbalancers have that habit, but I'm not 100% sure.

You can verify this theory by looking at the client-ip of these connections, do they come from a few sources with each source making a connection at regular intervals (every 2 or 5 seconds for instance)?

Cheers,
Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe