Why does listening server not return SYN/ACK when recieved SYN to TIME_WAIT socket?
Issue
Why does listening server not return SYN/ACK when recieved SYN to TIME_WAIT socket?
- Http server: 192.168.122.1 didn not return a SYN/ACK packet at 15:53:24.751472 in the following tcpdump. Why?
$ tcpdump -S -r http.cap port 40353
reading from file http.cap, link-type EN10MB (Ethernet)
15:53:04.259829 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [S], seq 2518290022, win 5840, options [mss 1460,sackOK,TS val 901255426 ecr 0,nop,wscale 2], length 0
15:53:04.259843 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [S.], seq 927258300, ack 2518290023, win 5792, options [mss 1460,sackOK,TS val 394573207 ecr 901255426,nop,wscale 2], length 0
15:53:04.260032 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [.], ack 927258301, win 1460, options [nop,nop,TS val 901255427 ecr 394573207], length 0
15:53:04.260121 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [P.], seq 2518290023:2518290430, ack 927258301, win 1460, options [nop,nop,TS val 901255427 ecr 394573207], length 407
15:53:04.260131 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [.], ack 2518290430, win 1716, options [nop,nop,TS val 394573207 ecr 901255427], length 0
15:53:04.260207 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [P.], seq 927258301:927258680, ack 2518290430, win 1716, options [nop,nop,TS val 394573207 ecr 901255427], length 379
15:53:04.260236 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [F.], seq 927258680, ack 2518290430, win 1716, options [nop,nop,TS val 394573207 ecr 901255427], length 0
15:53:04.260462 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [.], ack 927258680, win 1728, options [nop,nop,TS val 901255427 ecr 394573207], length 0
15:53:04.260511 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [F.], seq 2518290430, ack 927258681, win 1728, options [nop,nop,TS val 901255427 ecr 394573207], length 0
15:53:04.260521 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [.], ack 2518290431, win 1716, options [nop,nop,TS val 394573208 ecr 901255427], length 0
15:53:24.751461 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [S], seq 3294045866, win 5840, options [mss 1460,sackOK,TS val 3992346020 ecr 0,nop,wscale 7], length 0
15:53:24.751472 IP 192.168.122.1.http > 192.168.122.2.40353: Flags [.], ack 2518290431, win 1716, options [nop,nop,TS val 394593698 ecr 901255427], length 0
15:53:24.751744 IP 192.168.122.2.40353 > 192.168.122.1.http: Flags [R], seq 2518290431, win 0, length 0
There must have been LISTEN and TIME_WAIT sockets on http server: 192.168.122.1 at 15:53:04.260521 as follows.
# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 :::80 :::* LISTEN 7363/httpd
tcp 0 0 192.168.122.1:80 192.168.122.1:40353 TIME_WAIT -
...skip
After the client sent a SYN packet at 15:53:24.751461, the http server returned a ACK packet for a FIN packet of the previous session, instead of sending a SYN/ACK at 15:53:24.751472. So the client sent a RST packet at 15:53:24.751744.
Environment
- Red Hat Enterprise Linux
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.