Ethereal-dev: [Ethereal-dev] Retransmissions

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Don Lafontaine <lafont02@xxxxx>
Date: Wed, 15 Sep 2004 09:41:26 -0400
I ran across a small problem with retransmissions that are false positives.

Here's two packets, one that was labelled a retransmission:

---------------------------------------[Snip]------------------------------------------------------------------------
No. Time Source Destination Protocol Info 16 0.107557 165.115.62.75 216.240.70.39 SSLv3 Continuation Data, [Unreassembled Packet] 

Frame 16 (594 bytes on wire, 594 bytes captured)
Ethernet II, Src: 00:30:48:2a:57:69, Dst: 00:50:5a:73:3e:01
Internet Protocol, Src Addr: 165.115.62.75 (165.115.62.75), Dst Addr: 216.240.70.39 (216.240.70.39) Transmission Control Protocol, Src Port: https (443), Dst Port: 1131 (1131), Seq: 1072, Ack: 0, Len: 536 
   Source port: https (443)
   Destination port: 1131 (1131)
   Sequence number: 1072    (relative sequence number)
   Next sequence number: 1608    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0010 (ACK)
   Window size: 5840
   Checksum: 0x1dd3 (correct)
Secure Socket Layer
[Unreassembled Packet: SSL]
No. Time Source Destination Protocol Info 19 0.109021 165.115.62.75 216.240.70.39 SSLv3 [TCP Retransmission] Continuation Data, [Unreassembled Packet] 

Frame 19 (594 bytes on wire, 594 bytes captured)
Ethernet II, Src: 00:a0:8e:77:e6:19, Dst: 00:a0:8e:77:a5:75
Internet Protocol, Src Addr: 165.115.62.75 (165.115.62.75), Dst Addr: 216.240.70.39 (216.240.70.39) Transmission Control Protocol, Src Port: https (443), Dst Port: 1131 (1131), Seq: 1072, Ack: 0, Len: 536 
   Source port: https (443)
   Destination port: 1131 (1131)
   Sequence number: 1072    (relative sequence number)
   Next sequence number: 1608    (relative sequence number)
   Acknowledgement number: 0    (relative ack number)
   Header length: 20 bytes
   Flags: 0x0010 (ACK)
   Window size: 5840
   Checksum: 0x1dd3 (correct)
   SEQ/ACK analysis
Secure Socket Layer
[Unreassembled Packet: SSL]

---------------------------------------------------------[EOS]--------------------------------------------------------------
The problem is that this packet is only a retransmission at the TCP level, but in actual fact it is a copy of a packet between completely different MAC addresses. The reason I am seeing this is because of load balanced firewalls exchanging each packet between themselves. Let's not talk about the evilness of this occuring on the network, but look at possibly changing the way ethereal decides if a packet is a retransmission. 

Don Lafontaine