Category Archives: tcp-ip

IP Identification why zero?

I must say that network troubleshooting is not an easy task. Especially if you need to analyze thousands of packets in packet captures or lines of flow traces. IP ID is a field I use to compare captures taken at different segments most of the time. Also it is a crucial field for me to find the right packet in the flow trace. I didn’t know that this field can be zero till I notice it in a flow trace. Following captured packet is a SYN-ACK segment from a Linux box. ip_identification_zero

and Identification field is 0. If you have multiple SYN-ACKs from the same source your Seq,Ack numbers will also be the same which means you have literally no way to distinguish two packets apart from timing. I have searched for a way to disable this zero ID feature to make it unique in Linux but there doesn’t seem to exist any way. When I was searching some documentation to find the reason for this zero ID, I have found a very recent RFC Updated Specification of the IPv4 ID Field. Here is the text that I really didn’t like on this RFC;

RFC doesn’t enforce anything on the value and also states that originating source MAY set the field of atomic datagrams to any value. RFC also touches on the performance impact of uniqueness of ID field for a given source/destination.

In my humble opinion, this field should never have zero value at least not for me:) and Linux should have a sysctl switch to disable this behaviour.

Especially if you have an IPSEC VPN connection and you need to take a packet capture, you have almost no way to make a comparison between packet captures. Wouldn’t it be nice temporarily copy ip identification field value to the outside header of an ESP packet or a way to let the troubleshooter match the clear text packet and encrypted one. It would be terrific!

IPsec TCP-MSS, DF-BIT and Fragmentation

In my previous ipsec troubleshooting post, I haven’t talked about how we approach performance issues. Which is probably not a JNCIE-SEC topic but this is a very important topic for the real networks.


In this topology I will examine how throughput changes between two end points of an IPSEC tunnel depending on the configuration of IPSEC tunnel.

Change 1) Setting DF-BIT to copy

An IPsec tunnel between J23 and J41 is established and no extra configuration is done. I initiate a huge 1.6GB file download via HTTP
Continue reading

Port Scanner in Python

Python is a great tool to do some socket operations. I have written a piece of code by which I can scan a port range.
It is very basic and missing bunch of checks as aim is the simplicity here.

You can run the script in the following way by which you scan ports between 1 and 1024:

Continue reading

When to Send an ACK Segment

During one of my experimental studies I noticed a pattern in TCP ACK’s frequency.
ACK segments are sent after receiving every 2 TCP segment. I kept asking why not 3 or 1 but 2. Then I found the answer in RFC1122 “Requirements for Internet Hosts — Communication Layers” when I was trying to find some information about delayed ACK concept. I am also quoting the related section. If you have also asked yourself, this is possibly the reason behind this pattern!

TCP fast retransmission

During analysis of my ESX server, vsphere client communication I have encountered the following packet capture. My vsphere client keeps asking for a lost segment with ACK number 1583183 for 9 times after which according to wireshark analysis TCP Fast Retransmission which is one of the ways of handling congestion is engaged.

When I check RFC2581, it says  :

TCP doesn’t wait for the re-transmission timer but isn’t this quite long to engage fast re-transmit? It is 9 duplicate acks in total. Maybe some of my duplicate acks are also lost? It might be. Anyway, it was good to check RFC once again for this retransmit incident.

Analysis of HTTP message #1

I am going to analyse a simple HTTP request response at packet level from application layer down to data link layer in this post. I took a sample packet capture by connecting to my web page which displays only “Hello World!” on an Apache web server. There are 10 ethernet frames captured and I will try to examine each frame by referencing the time value in each row. Below is the list of each packet in order. Let’s start analyzing each:

1) 0.000000 TCP connection request (SYN segment)

a) Ethernet header

This the ethernet header of our first frame. My PC’s MAC address (a8:d0:e5:b3:99:c1) and web server’s MAC address ( 00:0c:29:c0:c6:df) are clearly shown. Header also contains an EtherType field which indicates the type of the payload in the upper layer. In our example 0x0800 stands for IPv4 protocol.

Continue reading