One obvious error that I can see in reply tcp segment is th->recv_ack = htonl(client_send_seq + ntohs(iphdr->total_length));
You need to acknowledge just the tcp payload which is { send seq + iphdr->total_length - (IP header len) - (TCP header len) } On Wed, Aug 15, 2018 at 7:47 PM, Konstantinos Schoinas <ece8...@upnet.gr> wrote: > Στις 2018-08-15 12:22, Konstantinos Schoinas έγραψε: > >> -------- Αρχικό μήνυμα -------- >> Θέμα: Sequence Number >> Ημερομηνία: 2018-08-15 12:21 >> Αποστολέας: Konstantinos Schoinas <ece8...@upnet.gr> >> Παραλήπτης: users <users-boun...@dpdk.org> >> >> Hello, >> >> I am building an application blocks TLS session if i find a sepcific >> forbidden Server Name Indication. >> According to RFC i must make a response with Fatal Error (2) >> unrecognized name(112). >> >> When i receive the Client Hello and after i Extract the SNI and check >> it against a black list i do process the client hello in order to >> response to client and terminate the session. >> >> Although i am getting a lot of retransmit packets on wireshark so i >> suppose i am doing something wrong. >> >> I think i mights have seq and ack number wrong or something.If anyone >> could help i would appreciate. >> Here is the process of the packet after i check for the forbidden SNI: >> >> uint32_t client_receive_ack = ntohl(th->recv_ack); >> uint32_t client_send_seq = ntohl(th->sent_seq); >> >> th->sent_seq = th->recv_ack; >> th->recv_ack = htonl(client_send_seq + ntohs(iphdr->total_length)); >> >> >> uint16_t l = ntohs(ssl->length)-0x02; >> uint16_t ip_l = ntohs(iphdr->total_length) - l; >> >> rte_pktmbuf_trim(m,l); >> iphdr->total_length = htons(ip_l); >> ssl->length = htons(2); >> >> alert = (struct Alert *)((uint8_t *)ssl + 5); >> >> >> iphdr->src_addr = dst_ip; >> iphdr->dst_addr = src_ip; >> th->src_port = dst_port; >> th->dst_port = src_port; >> ssl->type = 21; //alert message >> alert->type = 2; // fatal error >> alert->description = 112; // Unrecognized name >> >> iphdr->hdr_checksum = 0; >> th->cksum = 0; >> iphdr->hdr_checksum = rte_ipv4_cksum(iphdr); >> >> th->cksum = rte_ipv4_udptcp_cksum(iphdr,th); >> >> >> >> >> Thanks for your time >> > > > > > I wanted to give some more information on the subject.I am adding a > picture of wireshark with the mail to give more info.The problem of the > retransmitted packet is that it doesnt end the TLS session even though i am > sending a fatal-error alert with dpdk. > > I believe that i do something wrong with the process of client hello so it > doesnt have the right format in order to get recognized by the client and > end the tls Session. > > If you see my code above i change the source ,dest ip and port the seq and > ack value.In addition i am cutting from SSL Record the data that it had and > i am adding the alert message according to RFC. > > Is there any field i must change according to dpdk? > > > > >