Wireshark-users: [Wireshark-users] [RST,ACK] from IE6 on High Latency Connection
From: "Norbert Hoeller" <nhoeller@xxxxxxxx>
Date: Sun, 20 Aug 2006 11:29:39 -0400
I had originally posted this to the ethereal-users forum. I have been going through Chris Saunders' 'Packet School' and noticed that 'Expert Info' flagged packet 7 as 'Malformed HTTP'. This is associated with source port 2911, whereas the first RST by IE6 is on the source port 2912 session. I see no errors on the source port 2912 session traffic.
Although the problem was consistent on the day that I captured the trace, the problem has since disappeared. Since then, I have reset the satellite modem and wireless router a number of times. I have switched to Firefox, so have not noticed if other sites have been failing on IE.
Any help would be greatly appreciated!
Thanks, Norbert
>>>>
I recently switched to a satellite Internet service, where latency is around 700ms. Some (but not all) websites consistently will not display using IE6 (WinXP SP2), with the error "Cannot find server or DNS Error". A few times, the page will actually start to display, but then be replaced by the error screen. However, Firefox will display these pages without a problem.
Tracing the IE6 traffic using Ethereal showed that the error message was erroneous - data transfer was initiated, but apparently reset by IE6. Below is a trace. Focusing on the source port 2912 session (marked with >>>), the server appears to be returning valid data in entry 23, but IE6 responds with a RST,ACK in line 32. IE6 then resets the source port 2911 session in line 35.
A comparable Firefox trace looks similar, with the except that:
* Firefox is sending a much longer cookie on the initial GET, requiring a continuation packet from Firefox to the server
* Firefox returns an ACK to HTTP/1.1 200 OK (JPEG JFIF image) and the server returns the rest of the JPEG
The delay between entry 23 and 32 does not appear to be excessive, and is comparable to the delay in the Firefox trace. I am thoroughly puzzled what might be going on here. I suspect it is a combination of the server and the high latency Internet connection - I have no problems displaying the website using IE6 on dial.
Any help would be greatly appreciated!
Thanks, Norbert
No. Time Source Destination Protocol Info
1 0.000000 10.1.2.123 72.51.25.131 TCP 2911 > http [SYN] Seq=0 Len=0 MSS=1460
2 0.006553 72.51.25.131 10.1.2.123 TCP http > 2911 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1448
3 0.006674 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=1 Ack=1 Win=17376 Len=0
4 0.008925 10.1.2.123 72.51.25.131 HTTP GET / HTTP/1.1
5 0.067278 72.51.25.131 10.1.2.123 TCP http > 2911 [ACK] Seq=1 Ack=282 Win=3815 Len=0
6 2.478983 72.51.25.131 10.1.2.123 HTTP HTTP/1.1 200 OK
7 2.489217 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic[Unreassembled Packet]
8 2.489641 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=1493 Win=15884 Len=0
9 2.489767 10.1.2.123 72.51.25.131 TCP [TCP Window Update] 2911 > http [ACK] Seq=282 Ack=1493 Win=17376 Len=0
10 2.500368 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
11 2.500917 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=2941 Win=17376 Len=0
>>> 12 2.506495 10.1.2.123 72.51.25.131 TCP 2912 > http [SYN] Seq=0 Len=0 MSS=1460
13 2.514335 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
>>> 14 2.514854 72.51.25.131 10.1.2.123 TCP http > 2912 [SYN, ACK] Seq=0 Ack=1 Win=4096 Len=0 MSS=1448
>>> 15 2.514951 10.1.2.123 72.51.25.131 TCP 2912 > http [ACK] Seq=1 Ack=1 Win=17376 Len=0
16 2.515059 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=4389 Win=17376 Len=0
>>> 17 2.518282 10.1.2.123 72.51.25.131 HTTP GET /images/contestbanner_06.jpg HTTP/1.1 (from port 2912)
18 2.525727 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
19 2.526178 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=5837 Win=17376 Len=0
20 2.536842 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
21 2.537338 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=7285 Win=17376 Len=0
>>> 22 2.576766 72.51.25.131 10.1.2.123 TCP http > 2912 [ACK] Seq=1 Ack=350 Win=3747 Len=0
>>> 23 2.684184 72.51.25.131 10.1.2.123 HTTP HTTP/1.1 200 OK (JPEG JFIF image)
24 2.704605 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
25 2.705004 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=8733 Win=17376 Len=0
26 2.740781 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
27 2.741193 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=10181 Win=17376 Len=0
28 2.753169 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
29 2.753542 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=11629 Win=17376 Len=0
30 2.773416 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
31 2.773821 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=13077 Win=17376 Len=0
>>> 32 2.777726 10.1.2.123 72.51.25.131 TCP 2912 > http [RST, ACK] Seq=350 Ack=1217 Win=0 Len=0
33 2.780250 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
34 2.780623 10.1.2.123 72.51.25.131 TCP 2911 > http [ACK] Seq=282 Ack=14525 Win=17376 Len=0
35 2.782539 10.1.2.123 72.51.25.131 TCP 2911 > http [RST, ACK] Seq=282 Ack=14525 Win=0 Len=0
36 2.788611 72.51.25.131 10.1.2.123 HTTP Continuation or non-HTTP traffic
- Prev by Date: Re: [Wireshark-users] [Ethereal-users] Re: Export to ASCII doesn't work
- Next by Date: Re: [Wireshark-users] [Ethereal-users] Protocol Forcing on ethereal
- Previous by thread: Re: [Wireshark-users] [Ethereal-users] Re: Export to ASCII doesn't work
- Next by thread: Re: [Wireshark-users] [Ethereal-users] Protocol Forcing on ethereal
- Index(es):