Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TCP Packet diagnisus question - cannot see retransmitssion

Status
Not open for further replies.

sovata

Programmer
Nov 24, 2011
1
0
0
Hi all

I am doing an experiment using tcpdump, where I start a file transmission from a server to my client PC and in the middle I plug out the Ethernet cable for a while and then plug it back in. After the brief interruption the transmission finishes successfully.

The problem is, that when I look at the tcpdump log, I expect to see repeated ACKs from the Client to the Server and repeated SEQ numbers from the Server to the Client. I am not able to see any of these and I was wondering if someone might know why this is.

Details:

I use command:
tcpdump -i eth0 port ftp -n -tttt > /etc/outfile.txt &

Then I connect to ftp and do a get, after the file download starts I plug out the Ethernet cable, wait a while, plug it back in. The file download completes.

The dump file says:
(Note: I've edited some of the irrelevant infoto make it a bit more readable)

11:44:08 IP CLIENT > SERVER: S 3293820935:3293820935(0) win 5840 <mss 1460,sackOK,timestamp 1382313 0,nop,wscale 7>
11:44:08 IP SERVER > CLIENT: S 144274921:144274921(0) ack 3293820936 win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp 564022804 1382313,sackOK,eol>
11:44:08 IP CLIENT > SERVER: . ack 1 win 46 <nop,nop,timestamp 1382314 564022804>
11:44:08 IP SERVER > CLIENT: . ack 1 win 65535 <nop,nop,timestamp 564022804 1382314>
11:44:08 IP SERVER > CLIENT: . 1:47(46) ack 1 win 65535 <nop,nop,timestamp 564022805 1382314>
11:44:08 IP CLIENT > SERVER: . ack 47 win 46 <nop,nop,timestamp 1382326 564022805>
11:44:08 IP SERVER > CLIENT: P 47:66(19) ack 1 win 65535 <nop,nop,timestamp 564022805 1382326>
11:44:08 IP CLIENT > SERVER: . ack 66 win 46 <nop,nop,timestamp 1382327 564022805>
11:44:08 IP CLIENT > SERVER: P 1:14(13) ack 66 win 46 <nop,nop,timestamp 1382327 564022805>
11:44:08 IP SERVER > CLIENT: . ack 14 win 65535 <nop,nop,timestamp 564022805 1382327>
11:44:08 IP SERVER > CLIENT: P 66:112(46) ack 14 win 65535 <nop,nop,timestamp 564022805 1382327>
11:44:08 IP CLIENT > SERVER: P 14:32(18) ack 112 win 46 <nop,nop,timestamp 1382328 564022805>
11:44:08 IP SERVER > CLIENT: . ack 32 win 65535 <nop,nop,timestamp 564022805 1382328>
11:44:08 IP SERVER > CLIENT: P 112:158(46) ack 32 win 65535 <nop,nop,timestamp 564022805 1382328>
11:44:08 IP CLIENT > SERVER: . ack 158 win 46 <nop,nop,timestamp 1382368 564022805>
11:44:11 IP CLIENT > SERVER: P 32:49(17) ack 158 win 46 <nop,nop,timestamp 1385374 564022805>
11:44:11 IP SERVER > CLIENT: . ack 49 win 65535 <nop,nop,timestamp 564022835 1385374>
11:44:11 IP SERVER > CLIENT: P 158:197(39) ack 49 win 65535 <nop,nop,timestamp 564022835 1385374>
11:44:11 IP CLIENT > SERVER: . ack 197 win 46 <nop,nop,timestamp 1385375 564022835>

11:44:34 IP CLIENT > SERVER: P 49:66(17) ack 197 win 46 <nop,nop,timestamp 1408314 564022835>
11:44:34 IP SERVER > CLIENT: . ack 66 win 65535 <nop,nop,timestamp 564023064 1408314>
11:44:34 IP SERVER > CLIENT: P 197:229(32) ack 66 win 65535 <nop,nop,timestamp 564023065 1408314>
11:44:34 IP CLIENT > SERVER: . ack 229 win 46 <nop,nop,timestamp 1408344 564023065>
11:44:34 IP CLIENT > SERVER: P 66:72(6) ack 229 win 46 <nop,nop,timestamp 1408344 564023065>
11:44:34 IP SERVER > CLIENT: . ack 72 win 65535 <nop,nop,timestamp 564023065 1408344>
11:44:34 IP SERVER > CLIENT: P 229:273(44) ack 72 win 65535 <nop,nop,timestamp 564023065 1408344>
11:44:34 IP CLIENT > SERVER: . ack 273 win 46 <nop,nop,timestamp 1408385 564023065>
11:44:38 IP CLIENT > SERVER: P 72:84(12) ack 273 win 46 <nop,nop,timestamp 1412186 564023065>
11:44:38 IP SERVER > CLIENT: . ack 84 win 65535 <nop,nop,timestamp 564023103 1412186>
11:44:38 IP SERVER > CLIENT: P 273:302(29) ack 84 win 65535 <nop,nop,timestamp 564023103 1412186>
11:44:38 IP CLIENT > SERVER: . ack 302 win 46 <nop,nop,timestamp 1412188 564023103>

11:44:52 IP CLIENT > SERVER: P 84:92(8) ack 302 win 46 <nop,nop,timestamp 1426309 564023103>
11:44:52 IP SERVER > CLIENT: . ack 92 win 65535 <nop,nop,timestamp 564023244 1426309>
11:44:52 IP SERVER > CLIENT: P 302:322(20) ack 92 win 65535 <nop,nop,timestamp 564023244 1426309>
11:44:52 IP CLIENT > SERVER: . ack 322 win 46 <nop,nop,timestamp 1426309 564023244>
11:44:52 IP CLIENT > SERVER: P 92:98(6) ack 322 win 46 <nop,nop,timestamp 1426309 564023244>
11:44:52 IP SERVER > CLIENT: . ack 98 win 65535 <nop,nop,timestamp 564023244 1426309>
11:44:52 IP SERVER > CLIENT: P 322:373(51) ack 98 win 65535 <nop,nop,timestamp 564023244 1426309>
11:44:52 IP CLIENT > SERVER: P 98:112(14) ack 373 win 46 <nop,nop,timestamp 1426310 564023244>
11:44:52 IP SERVER > CLIENT: . ack 112 win 65535 <nop,nop,timestamp 564023244 1426310>
11:44:52 IP SERVER > CLIENT: P 373:446(73) ack 112 win 65535 <nop,nop,timestamp 564023244 1426310>
11:44:52 IP CLIENT > SERVER: . ack 446 win 46 <nop,nop,timestamp 1426351 564023244>
11:45:55 IP SERVER > CLIENT: P 446:470(24) ack 112 win 65535 <nop,nop,timestamp 564023878 1426351>
11:45:55 IP CLIENT > SERVER: . ack 470 win 46 <nop,nop,timestamp 1489710 564023878>
11:45:59 IP CLIENT > SERVER: P 112:118(6) ack 470 win 46 <nop,nop,timestamp 1493007 564023878>
11:45:59 IP SERVER > CLIENT: . ack 118 win 65535 <nop,nop,timestamp 564023911 1493007>
11:45:59 IP SERVER > CLIENT: P 470:476(6) ack 118 win 65535 <nop,nop,timestamp 564023911 1493007>
11:45:59 IP CLIENT > SERVER: . ack 476 win 46 <nop,nop,timestamp 1493007 564023911>
11:45:59 IP SERVER > CLIENT: P 476:680(204) ack 118 win 65535 <nop,nop,timestamp 564023911 1493007>
11:45:59 IP CLIENT > SERVER: . ack 680 win 54 <nop,nop,timestamp 1493008 564023911>
11:45:59 IP CLIENT > SERVER: F 118:118(0) ack 680 win 54 <nop,nop,timestamp 1493008 564023911>
11:45:59 IP SERVER > CLIENT: F 680:680(0) ack 118 win 65535 <nop,nop,timestamp 564023911 1493008>
11:45:59 IP CLIENT > SERVER: . ack 681 win 54 <nop,nop,timestamp 1493009 564023911>
11:45:59 IP SERVER > CLIENT: F 680:680(0) ack 119 win 65535 <nop,nop,timestamp 564023911 1493008>
11:45:59 IP SERVER > CLIENT: . ack 119 win 65535 <nop,nop,timestamp 564023911 1493009>

------------------------------------


Here is a version without the P packets from the Client to the Server and without the AKCs from the server:

11:44:08 IP CLIENT > SERVER: S 3293820935:3293820935(0)
11:44:08 IP SERVER > CLIENT: S 144274921:144274921(0) ack 3293820936
11:44:08 IP CLIENT > SERVER: . ack 1
11:44:08 IP SERVER > CLIENT: . 1:47(46) ack 1
11:44:08 IP CLIENT > SERVER: . ack 47
11:44:08 IP SERVER > CLIENT: P 47:66(19) ack 1
11:44:08 IP CLIENT > SERVER: . ack 66
11:44:08 IP SERVER > CLIENT: P 66:112(46) ack 14
11:44:08 IP SERVER > CLIENT: P 112:158(46) ack 32
11:44:08 IP CLIENT > SERVER: . ack 158
11:44:11 IP SERVER > CLIENT: P 158:197(39) ack 49
11:44:11 IP CLIENT > SERVER: . ack 197

11:44:34 IP SERVER > CLIENT: P 197:229(32) ack 66
11:44:34 IP CLIENT > SERVER: . ack 229
11:44:34 IP SERVER > CLIENT: P 229:273(44) ack 72
11:44:34 IP CLIENT > SERVER: . ack 273
11:44:38 IP SERVER > CLIENT: P 273:302(29) ack 84
11:44:38 IP CLIENT > SERVER: . ack 302

11:44:52 IP SERVER > CLIENT: P 302:322(20) ack 92
11:44:52 IP CLIENT > SERVER: . ack 322
11:44:52 IP SERVER > CLIENT: P 322:373(51) ack 98
11:44:52 IP SERVER > CLIENT: P 373:446(73) ack 112
11:44:52 IP CLIENT > SERVER: . ack 446
11:45:55 IP SERVER > CLIENT: P 446:470(24) ack 112
11:45:55 IP CLIENT > SERVER: . ack 470
11:45:59 IP SERVER > CLIENT: P 470:476(6) ack 118
11:45:59 IP CLIENT > SERVER: . ack 476
11:45:59 IP SERVER > CLIENT: P 476:680(204) ack 118
11:45:59 IP CLIENT > SERVER: . ack 680
11:45:59 IP CLIENT > SERVER: F 118:118(0) ack 680
11:45:59 IP SERVER > CLIENT: F 680:680(0) ack 118
11:45:59 IP CLIENT > SERVER: . ack 681
11:45:59 IP SERVER > CLIENT: F 680:680(0) ack 119


-------------------------------

The blank lines are where I see the pauses. But I do not see anything else, such as repeated ACKs from the Client to the server. And repeated SEQ numbers from the server to the Client. The transmission just continues where it got paused.

Would you say this is normal? What might I be doing wrong?

Thank you
Nik

 
I believe that you will need to look at ports 20 and 21 (ftp-data and ftp). Right now I believe that you are only capturing the control channel of the session, not the data flow.

Try:
Code:
tcpdump -i eth0 port (ftp or ftp-data) -n -tttt > /etc/outfile.txt &

If you are ftping in PASV mode, you will need to just capture everything and filter it down to the relevant ports later.

You might want to use Wireshark vice tcpdump so that you have better tools to analyze the data stream in real-time. If you don't want to install it, you can always download Backtrack and run it from a bootable CD.


pansophic
 

A better way to test is using firewall, for exmaple if your client is Linux box, simply add a iptables/firewall rule to stop it form sending any traffic/reply/ACK out to FTP server and then see the fun.

Then you must be able to see the same sequence of segments coming back from server.


Regards
usman
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top