Bad tcp
-
Good morning I'm in a weird situation, I have a remote monitoring system which communicates with a server over TCP port 2020, but for some time now this system has given a headache, time connecting and staying out working hours, sometimes need to reset the status table, I was looking at the packages and found these errors in the checksum, this problem would be an internal or external, I'm using version 2.0 beta5 86, but 1.2.3 had the same problem
08:45:08.499404 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 63812, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e735)!)
189.11.172.xxx.2020 > 192.168.0.6.5198: Flags [.], cksum 0x66c0 (correct), seq 23, ack 392, win 65144, length 0
08:45:09.583334 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 890, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->dcff)!)
189.11.172.xxx.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x60b7 (correct), seq 23:24, ack 392, win 65144, length 1In states with problem:
tcp 189.11.172.xxx:2020 <- 192.168.0.6:5198 CLOSING:ESTABLISHED
tcp 192.168.0.6:5198 -> 192.168.2.10:48558 -> 189.11.172.xxx:2020 ESTABLISHED:CLOSINGAfter clear states from table:
tcp 189.11.172.xxx:2020 <- 192.168.0.6:5198 ESTABLISHED:ESTABLISHED
tcp 192.168.0.6:5198 -> 192.168.2.10:7881 -> 189.11.172.xxx:2020 ESTABLISHED:ESTABLISHED -
Checksum 0 is almost definitely just a side effect of hardware checksum offloading on the NICs, not that it doesn't have a checksum (which is what it's showing). That's not the issue most likely. Hard to say what might be based on that, a full pcap of the traffic should show.
-
Thanks I will try to disable the hardware checksum, I have the following scenario, multi wan and using the sticky connections
My hardware is a Dell PowerEdge 830 with a network card intel pci-and two-port Intel (R) PRO/1000.
This ip 192.168.0.6 does not use the ip load balancing rule
Full packet capture:
:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 25, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0x3ad2 (correct), seq 71807, win 512, options [mss 512], length 0
14:22:53.890951 00:13:72:3d:51:56 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.6 tell 192.168.0.254, length 28
14:22:53.894715 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.6 is-at 00:01:23:45:67:89, length 46
14:22:53.894725 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 58: (tos 0x0, ttl 112, id 7294, offset 0, flags [DF], proto TCP (6), length 44, bad cksum 0 (->c3f8)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [S.], cksum 0x0674 (correct), seq 4158274339, ack 71808, win 65535, options [mss 1360], length 0
14:22:53.917684 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 26, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1bcd (correct), seq 1, ack 1, win 512, length 0
14:22:53.944061 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 27, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x4289 (correct), seq 1:18, ack 1, win 512, length 17
14:22:54.146913 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 7342, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->c3cc)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dcd (correct), seq 1, ack 18, win 65518, length 0
14:23:00.115446 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 8926, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->bd9b)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17c4 (correct), seq 1:2, ack 18, win 65518, length 1
14:23:00.128573 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 28, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1bbb (correct), seq 18, ack 2, win 512, length 0
14:23:00.160163 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 29, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8fef (correct), seq 18:35, ack 2, win 512, length 17
14:23:00.286053 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 8990, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->bd5c)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dcc (correct), seq 2, ack 35, win 65501, length 0
14:23:02.130533 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 9286, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->bc33)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17c3 (correct), seq 2:3, ack 35, win 65501, length 1
14:23:02.143672 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 30, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1ba9 (correct), seq 35, ack 3, win 512, length 0
14:23:02.260384 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 31, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8908 (correct), seq 35:52, ack 3, win 512, length 17
14:23:02.499616 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 9292, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->bc2e)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dcb (correct), seq 3, ack 52, win 65484, length 0
14:23:04.149241 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 13096, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->ad51)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17c2 (correct), seq 3:4, ack 52, win 65484, length 1
14:23:04.162370 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 32, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b97 (correct), seq 52, ack 4, win 512, length 0
14:24:04.269035 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 33, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x88f6 (correct), seq 52:69, ack 4, win 512, length 17
14:24:04.484486 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 35538, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->55a8)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dca (correct), seq 4, ack 69, win 65467, length 0
14:24:06.228724 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 37518, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->4deb)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17c1 (correct), seq 4:5, ack 69, win 65467, length 1
14:24:06.241845 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 34, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b85 (correct), seq 69, ack 5, win 512, length 0
14:25:06.332904 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 35, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x88e4 (correct), seq 69:86, ack 5, win 512, length 17
14:25:06.645034 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 57832, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->fe91)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc9 (correct), seq 5, ack 86, win 65450, length 0
14:25:07.818338 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 58887, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->fa71)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17c0 (correct), seq 5:6, ack 86, win 65450, length 1
14:25:07.831618 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 36, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b73 (correct), seq 86, ack 6, win 512, length 0
14:26:07.906521 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 37, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x88d2 (correct), seq 86:103, ack 6, win 512, length 17
14:26:08.101477 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 22863, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->872b)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc8 (correct), seq 6, ack 103, win 65433, length 0
14:26:09.982627 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 28421, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->7174)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17bf (correct), seq 6:7, ack 103, win 65433, length 1
14:26:09.995906 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 38, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b61 (correct), seq 103, ack 7, win 512, length 0
14:27:10.110315 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 39, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x88c0 (correct), seq 103:120, ack 7, win 512, length 17
14:27:10.264007 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 42990, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->388c)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc7 (correct), seq 7, ack 120, win 65416, length 0
14:27:11.820371 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 46944, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->2919)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17be (correct), seq 7:8, ack 120, win 65416, length 1
14:27:11.833495 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 40, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b4f (correct), seq 120, ack 8, win 512, length 0
14:28:11.874158 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 41, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x88ae (correct), seq 120:137, ack 8, win 512, length 17
14:28:12.020896 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 62714, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->eb7f)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc6 (correct), seq 8, ack 137, win 65399, length 0
14:28:13.021934 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 5, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->e074)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17bd (correct), seq 8:9, ack 137, win 65399, length 1
14:28:13.035055 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 42, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b3d (correct), seq 137, ack 9, win 512, length 0
14:29:13.137623 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 43, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x889c (correct), seq 137:154, ack 9, win 512, length 17
14:29:13.277459 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 25053, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7e9d)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc5 (correct), seq 9, ack 154, win 65382, length 0
14:29:14.742105 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 28478, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->713b)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17bc (correct), seq 9:10, ack 154, win 65382, length 1
14:29:14.755538 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 44, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b2b (correct), seq 154, ack 10, win 512, length 0
14:30:14.801931 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 45, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x888a (correct), seq 154:171, ack 10, win 512, length 17
14:30:14.937030 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 44442, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->32e0)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc4 (correct), seq 10, ack 171, win 65365, length 0
14:30:16.511367 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 48378, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->237f)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17bb (correct), seq 10:11, ack 171, win 65365, length 1
14:30:16.545393 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 46, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b19 (correct), seq 171, ack 11, win 512, length 0
14:31:16.664990 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 47, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8878 (correct), seq 171:188, ack 11, win 512, length 17
14:31:16.793237 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 64740, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e395)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc3 (correct), seq 11, ack 188, win 65348, length 0
14:31:18.187426 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 2948, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->d4f5)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17ba (correct), seq 11:12, ack 188, win 65348, length 1
14:31:18.200547 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 48, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1b07 (correct), seq 188, ack 12, win 512, length 0
14:32:18.278768 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 49, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8866 (correct), seq 188:205, ack 12, win 512, length 17
14:32:18.460553 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 30716, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->687e)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc2 (correct), seq 12, ack 205, win 65331, length 0
14:32:19.995034 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 33934, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->5beb)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b9 (correct), seq 12:13, ack 205, win 65331, length 1
14:32:20.008156 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 50, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1af5 (correct), seq 205, ack 13, win 512, length 0
14:33:20.142437 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 51, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8854 (correct), seq 205:222, ack 13, win 512, length 17
14:33:20.311261 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 57285, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->b5)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc1 (correct), seq 13, ack 222, win 65314, length 0
14:33:21.592504 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 62027, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->ee2d)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b8 (correct), seq 13:14, ack 222, win 65314, length 1
14:33:21.605625 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1ae3 (correct), seq 222, ack 14, win 512, length 0
14:34:21.706079 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 53, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8842 (correct), seq 222:239, ack 14, win 512, length 17
14:34:21.874008 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 16762, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->9f00)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dc0 (correct), seq 14, ack 239, win 65297, length 0
14:34:23.069677 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 19687, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->9392)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b7 (correct), seq 14:15, ack 239, win 65297, length 1
14:34:23.083110 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 54, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1ad1 (correct), seq 239, ack 15, win 512, length 0
14:35:23.169709 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 55, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x8830 (correct), seq 239:256, ack 15, win 512, length 17
14:35:23.425886 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 21126, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->8df4)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dbf (correct), seq 15, ack 256, win 65280, length 0
14:35:28.691975 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 25149, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->7e3c)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b6 (correct), seq 15:16, ack 256, win 65280, length 1
14:35:28.705101 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 56, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1abf (correct), seq 256, ack 16, win 512, length 0
14:36:28.774913 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 57, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x881e (correct), seq 256:273, ack 16, win 512, length 17
14:36:28.923727 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 42895, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->38eb)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dbe (correct), seq 16, ack 273, win 65263, length 0
14:36:30.669200 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 47774, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->25db)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b5 (correct), seq 16:17, ack 273, win 65263, length 1
14:36:30.682631 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 58, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1aad (correct), seq 273, ack 17, win 512, length 0
14:37:30.738578 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 71: (tos 0x0, ttl 64, id 59, offset 0, flags [none], proto TCP (6), length 57)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [P.], cksum 0x880c (correct), seq 273:290, ack 17, win 512, length 17
14:37:30.866397 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 112, id 7132, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->c49e)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [.], cksum 0x1dbd (correct), seq 17, ack 290, win 65246, length 0
14:37:31.959864 00:13:72:3d:51:56 > 00:01:23:45:67:89, ethertype IPv4 (0x0800), length 55: (tos 0x0, ttl 112, id 9865, offset 0, flags [DF], proto TCP (6), length 41, bad cksum 0 (->b9f0)!)
189.11.172.XXX.2020 > 192.168.0.6.5198: Flags [P.], cksum 0x17b4 (correct), seq 17:18, ack 290, win 65246, length 1
14:37:31.972989 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 60, offset 0, flags [none], proto TCP (6), length 40)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags [.], cksum 0x1a9b (correct), seq 290, ack 18, win 512, length 0
14:38:11.082563 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 61, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0xd4ac (correct), seq 163491, win 512, options [mss 512], length 0
14:38:22.085896 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 62, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0xd4ab (correct), seq 163492, win 512, options [mss 512], length 0
14:38:30.232390 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 63, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0xcd32 (correct), seq 165405, win 512, options [mss 512], length 0
14:38:41.251164 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 64, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0xcd31 (correct), seq 165406, win 512, options [mss 512], length 0
14:39:00.281650 00:01:23:45:67:89 > 00:13:72:3d:51:56, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 65, offset 0, flags [none], proto TCP (6), length 44)
192.168.0.6.5198 > 189.11.172.XXX.2020: Flags, cksum 0xc176 (correct), seq 168409, win 512, options [mss 512], length 0 -
No need to disable hardware checksum offloading. By "full pcap" I mean an actual pcap file, not more text.
-
Okay sorry and how do I send the file
-
If you're capturing at Diag>Packet Capture, click the Download button when finished. Otherwise see the tcpdump man page for -w
-
Sure it already understood, the detail was what to do with it, I downloaded Wireshark but now lack the knowledge to understand the messages from what I saw over the expected return is not the same as the original something, I send you this file, if possible
-
You can email it to me (cmb at pfsense dot org) and reference this thread.
-
The problem is the device that's opening the connection tries to open a new connection using the same source and destination IPs and ports, without first closing the previous connection. If you open the pcap file you sent me in Wireshark, you'll see it warns on "TCP Port numbers reused" at the end. The last 5 packets are TCP SYNs attempting to open a new connection with the exact same parameters as the connection it still has open from earlier in the capture.
PF relies on the source and destination IPs and ports to track TCP states. When something has an active connection, then tries to open the exact same connection again, PF drops it as it looks like spoofed traffic (you should never be opening a connection that's already open).
It's a bug of some sort in the application or OS that's initiating the traffic. If it's given up on the old connection for some reason, it must close that connection before opening the same connection again. If it wants multiple simultaneous connections (which does not appear to be the case), it needs to use random source ports as every OS in the past 10+ years does, where it's using a fixed source port now.
-
Thank you very much