Wireshark-users: Re: [Wireshark-users] out of port numbers
Date Prev · Date Next · Thread Prev · Thread Next
From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 1 Sep 2011 09:36:59 +0200
On 1 sep 2011, at 07:01, Andrej van der Zee wrote:

> > I am seeings a lot of port-reuses in the tcpdumps. The tcpdump was
> > captured on a Debian master that runs multiple Debian guests (Linux
> > VServer). Among others, it runs a proxy and application server that
> > setup a new connection for each HTTP request that is being served.
> 
> On this Linux VServer, I am seeing 20.401 reused ports (filter
> tcp.analysis.reused_ports in Wireshark) in a 429 second tcpdump
> sample. Is this value not extremely high?
> 
> I had some more time to look at this "issue" and I was hoping somebody could advise me. In the tcpdump I find many reset connections before the 3way handshake is even finished, for example:
> 
> clt -> srv: 17:00:04.100996 SYN [Port number resused] seq=0
> clt -> srv: 17:00:04.103999 SYN seq=0
> srv -> clt: 17:00:04.104033 SYN + ACK seq=0, ack=1
> clt -> srv: 17:00:04.109510 RST seq=1
> 
> Under what conditions would the client reset the connection within such a short timespan (< 10 millisecond)? 

Devices that monitor the availability of services usually terminate the session before the 3WHS is complete. This way, the probe connection only disturbs the TCP stack and not the application on the port. On loadbalancers this is often called a "tcp-half-open" healthcheck. Since your capture also shows "Port number reused", it could be that the monitoring of the service is done from the same source port each time. IIRC F5 loadbalancers have that habit, but I'm not 100% sure.

You can verify this theory by looking at the client-ip of these connections, do they come from a few sources with each source making a connection at regular intervals (every 2 or 5 seconds for instance)?

Cheers,
Sake