TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Dear EL:
I have seen this many times associated with a particular web server on our
network, but I alsosuspect it's happening on some others in our network. I
can tell you that I have confirmed the information RealSecure Engine is
reporting is correct. We have put a NAI(NGC) Sniffer on the network and
confirmed that during certain sesions, not all, just before the session
ends, the Acknowledgement sequence number from the remote host within a
single packet has three seperate "Ack sequence numbers". According to the
Sniffer "help function", it is possibly a host misconfiguration with a
"circuit" or "session" timer used to track the session "ack" or in some
circumstances this is done deliberately to maintain an open session and
used as a "keepalive" packet. While it might be deliberate, it may not.
We are currently investigating a possible cause malious intent or
misconfiguration.
SUMMARY Delta T Destination Source Summary
3496 0.14155 Local Host [Remote Host] TCP D=80
S=62240 ACK=2067456389 WIN=8760
DLC: ----- DLC Header -----
DLC:
DLC: Frame 3496 arrived at 17:19:27.1187; frame size is 60 (003C hex)
bytes.
DLC: Destination = Station Local Host
DLC: Source = Station Router
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 39949
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 235 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A1CE (correct)
IP: Source address = [Remote Host]
IP: Destination address = [Local Host],
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 62240
TCP: Destination port = 80 (WWW-HTTP)
TCP: Sequence number = 3680951464
TCP: Acknowledgment number = 2067456389
TCP: Data offset = 20 bytes
TCP: Flags = 10
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 8760
TCP: Checksum = 3368 (correct)
�Sniffer Network Analyzer data from 19-Apr-00 at 15:28:46, file
C:\ENCAP\WEB99_2.ENC, Page 10
TCP: No TCP options
TCP:
- - - - - - - - - - - - - - - - Frame 3497 - - - - - - - - - - - - - - - -
-
SUMMARY Delta T Destination Source Summary
3497 0.00320 Local Host [Remote Host] Ack
number decreasing
TCP D=80 S=62240 ACK=2067456001
WIN=8760
DLC: ----- DLC Header -----
DLC:
DLC: Frame 3497 arrived at 17:19:27.1219; frame size is 60 (003C hex)
bytes.
DLC: Destination = Station Local Host
DLC: Source = Station Router
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 39948
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 235 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A1CF (correct)
IP: Source address = [Remote Host]
IP: Destination address = [Local Host],
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 62240
TCP: Destination port = 80 (WWW-HTTP)
TCP: Sequence number = 3680951464
TCP: Acknowledgment number = 2067456001
TCP: Data offset = 20 bytes
TCP: Flags = 10
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
�Sniffer Network Analyzer data from 19-Apr-00 at 15:28:46, file
C:\ENCAP\WEB99_2.ENC, Page 11
TCP: .... ...0 = (No FIN)
TCP: Window = 8760
TCP: Checksum = 34EC (correct)
TCP: No TCP options
TCP:
- - - - - - - - - - - - - - - - Frame 3505 - - - - - - - - - - - - - - - -
-
SUMMARY Delta T Destination Source Summary
3505 0.09195 Local Host [Remote Host] TCP D=80
S=62240 FIN ACK=2067456389 SEQ=3680951464 LEN=0 WIN=8760
DLC: ----- DLC Header -----
DLC:
DLC: Frame 3505 arrived at 17:19:27.2138; frame size is 60 (003C hex)
bytes.
DLC: Destination = Station Local Host
DLC: Source = Station Router
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 39953
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 235 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A1CA (correct)
IP: Source address = [Remote Host]
IP: Destination address = [Local Host],
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 62240
TCP: Destination port = 80 (WWW-HTTP)
TCP: Sequence number = 3680951464
TCP: Acknowledgment number = 2067456389
TCP: Data offset = 20 bytes
TCP: Flags = 11
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
�Sniffer Network Analyzer data from 19-Apr-00 at 15:28:46, file
C:\ENCAP\WEB99_2.ENC, Page 12
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...1 = FIN
TCP: Window = 8760
TCP: Checksum = 3367 (correct)
TCP: No TCP options
TCP:
- - - - - - - - - - - - - - - - Frame 3506 - - - - - - - - - - - - - - - -
-
SUMMARY Delta T Destination Source Summary
3506 0.00019 Local Host [Remote Host] TCP D=62240
S=80 FIN ACK=3680951465 SEQ=2067456389 LEN=0 WIN=32768
DLC: ----- DLC Header -----
DLC:
DLC: Frame 3506 arrived at 17:19:27.2140; frame size is 60 (003C hex)
bytes.
DLC: Destination = Station Router
DLC: Source = Station Local Host
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 7892
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 64 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = CA08 (correct)
IP: Source address = [Local Host],
IP: Destination address = [Remote Host]
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 80 (WWW-HTTP)
TCP: Destination port = 62240
TCP: Sequence number = 2067456389
TCP: Acknowledgment number = 3680951465
TCP: Data offset = 20 bytes
TCP: Flags = 11
TCP: ..0. .... = (No urgent pointer)
�Sniffer Network Analyzer data from 19-Apr-00 at 15:28:46, file
C:\ENCAP\WEB99_2.ENC, Page 13
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...1 = FIN
TCP: Window = 32768
TCP: Checksum = D59D (correct)
TCP: No TCP options
TCP:
- - - - - - - - - - - - - - - - Frame 3507 - - - - - - - - - - - - - - - -
-
SUMMARY Delta T Destination Source Summary
3507 0.13791 Local Host [Remote Host] TCP D=80
S=62240 ACK=2067456390 WIN=8760
DLC: ----- DLC Header -----
DLC:
DLC: Frame 3507 arrived at 17:19:27.3519; frame size is 60 (003C hex)
bytes.
DLC: Destination = Station Local Host
DLC: Source = Station Router
DLC: Ethertype = 0800 (IP)
DLC:
IP: ----- IP Header -----
IP:
IP: Version = 4, header length = 20 bytes
IP: Type of service = 00
IP: 000. .... = routine
IP: ...0 .... = normal delay
IP: .... 0... = normal throughput
IP: .... .0.. = normal reliability
IP: Total length = 40 bytes
IP: Identification = 39954
IP: Flags = 4X
IP: .1.. .... = don't fragment
IP: ..0. .... = last fragment
IP: Fragment offset = 0 bytes
IP: Time to live = 235 seconds/hops
IP: Protocol = 6 (TCP)
IP: Header checksum = A1C9 (correct)
IP: Source address = [Remote Host]
IP: Destination address = [Local Host],
IP: No options
IP:
TCP: ----- TCP header -----
TCP:
TCP: Source port = 62240
TCP: Destination port = 80 (WWW-HTTP)
TCP: Sequence number = 3680951465
TCP: Acknowledgment number = 2067456390
TCP: Data offset = 20 bytes
�Sniffer Network Analyzer data from 19-Apr-00 at 15:28:46, file
C:\ENCAP\WEB99_2.ENC, Page 14
TCP: Flags = 10
TCP: ..0. .... = (No urgent pointer)
TCP: ...1 .... = Acknowledgment
TCP: .... 0... = (No push)
TCP: .... .0.. = (No reset)
TCP: .... ..0. = (No SYN)
TCP: .... ...0 = (No FIN)
TCP: Window = 8760
TCP: Checksum = 3366 (correct)
TCP: No TCP options
TCP:
Regards,
Jeff Garofola
